From b0d8ed94fe9e74afb49fdf5f11e4add29879c65c Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Thu, 12 Apr 2007 20:30:08 +0000 Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.1.1) --- testing/tests/ikev1/alg-blowfish/description.txt | 4 + testing/tests/ikev1/alg-blowfish/evaltest.dat | 9 +++ .../ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/alg-blowfish/posttest.dat | 2 + testing/tests/ikev1/alg-blowfish/pretest.dat | 5 ++ testing/tests/ikev1/alg-blowfish/test.conf | 22 ++++++ testing/tests/ikev1/alg-serpent/description.txt | 4 + testing/tests/ikev1/alg-serpent/evaltest.dat | 9 +++ .../ikev1/alg-serpent/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/alg-serpent/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/alg-serpent/posttest.dat | 2 + testing/tests/ikev1/alg-serpent/pretest.dat | 5 ++ testing/tests/ikev1/alg-serpent/test.conf | 22 ++++++ .../ikev1/alg-sha-equals-sha1/description.txt | 5 ++ .../tests/ikev1/alg-sha-equals-sha1/evaltest.dat | 9 +++ .../alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf | 26 +++++++ .../alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf | 26 +++++++ .../tests/ikev1/alg-sha-equals-sha1/posttest.dat | 2 + .../tests/ikev1/alg-sha-equals-sha1/pretest.dat | 5 ++ testing/tests/ikev1/alg-sha-equals-sha1/test.conf | 22 ++++++ testing/tests/ikev1/alg-sha2_256/description.txt | 4 + testing/tests/ikev1/alg-sha2_256/evaltest.dat | 9 +++ .../ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/alg-sha2_256/posttest.dat | 2 + testing/tests/ikev1/alg-sha2_256/pretest.dat | 5 ++ testing/tests/ikev1/alg-sha2_256/test.conf | 22 ++++++ testing/tests/ikev1/alg-twofish/description.txt | 4 + testing/tests/ikev1/alg-twofish/evaltest.dat | 8 ++ .../ikev1/alg-twofish/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/alg-twofish/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/alg-twofish/posttest.dat | 2 + testing/tests/ikev1/alg-twofish/pretest.dat | 5 ++ testing/tests/ikev1/alg-twofish/test.conf | 22 ++++++ testing/tests/ikev1/attr-cert/description.txt | 7 ++ testing/tests/ikev1/attr-cert/evaltest.dat | 12 +++ .../ikev1/attr-cert/hosts/carol/etc/ipsec.conf | 32 ++++++++ .../ikev1/attr-cert/hosts/dave/etc/ipsec.conf | 32 ++++++++ .../ikev1/attr-cert/hosts/moon/etc/ipsec.conf | 30 ++++++++ .../hosts/moon/etc/ipsec.d/aacerts/aaCert.pem | 25 +++++++ .../attr-cert/hosts/moon/etc/openac/aaKey.pem | 27 +++++++ .../attr-cert/hosts/moon/etc/openac/carolCert.pem | 25 +++++++ .../attr-cert/hosts/moon/etc/openac/daveCert.pem | 25 +++++++ .../attr-cert/hosts/moon/etc/openac/default.conf | 4 + testing/tests/ikev1/attr-cert/posttest.dat | 6 ++ testing/tests/ikev1/attr-cert/pretest.dat | 12 +++ testing/tests/ikev1/attr-cert/test.conf | 21 ++++++ testing/tests/ikev1/compress/description.txt | 3 + testing/tests/ikev1/compress/evaltest.dat | 10 +++ .../ikev1/compress/hosts/carol/etc/ipsec.conf | 24 ++++++ .../tests/ikev1/compress/hosts/moon/etc/ipsec.conf | 24 ++++++ testing/tests/ikev1/compress/posttest.dat | 2 + testing/tests/ikev1/compress/pretest.dat | 5 ++ testing/tests/ikev1/compress/test.conf | 22 ++++++ testing/tests/ikev1/crl-from-cache/description.txt | 5 ++ testing/tests/ikev1/crl-from-cache/evaltest.dat | 10 +++ .../crl-from-cache/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf | 35 +++++++++ testing/tests/ikev1/crl-from-cache/posttest.dat | 4 + testing/tests/ikev1/crl-from-cache/pretest.dat | 8 ++ testing/tests/ikev1/crl-from-cache/test.conf | 21 ++++++ testing/tests/ikev1/crl-ldap/description.txt | 9 +++ testing/tests/ikev1/crl-ldap/evaltest.dat | 16 ++++ .../ikev1/crl-ldap/hosts/carol/etc/init.d/iptables | 73 ++++++++++++++++++ .../ikev1/crl-ldap/hosts/carol/etc/ipsec.conf | 30 ++++++++ .../5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl | Bin 0 -> 560 bytes .../ikev1/crl-ldap/hosts/moon/etc/init.d/iptables | 76 +++++++++++++++++++ .../tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf | 41 ++++++++++ .../5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl | Bin 0 -> 560 bytes testing/tests/ikev1/crl-ldap/posttest.dat | 7 ++ testing/tests/ikev1/crl-ldap/pretest.dat | 8 ++ testing/tests/ikev1/crl-ldap/test.conf | 21 ++++++ testing/tests/ikev1/crl-revoked/description.txt | 7 ++ testing/tests/ikev1/crl-revoked/evaltest.dat | 6 ++ .../ikev1/crl-revoked/hosts/carol/etc/ipsec.conf | 23 ++++++ .../carol/etc/ipsec.d/certs/carolRevokedCert.pem | 25 +++++++ .../carol/etc/ipsec.d/private/carolRevokedKey.pem | 27 +++++++ .../crl-revoked/hosts/carol/etc/ipsec.secrets | 3 + .../ikev1/crl-revoked/hosts/moon/etc/ipsec.conf | 34 +++++++++ testing/tests/ikev1/crl-revoked/posttest.dat | 4 + testing/tests/ikev1/crl-revoked/pretest.dat | 4 + testing/tests/ikev1/crl-revoked/test.conf | 21 ++++++ testing/tests/ikev1/crl-strict/description.txt | 6 ++ testing/tests/ikev1/crl-strict/evaltest.dat | 8 ++ .../ikev1/crl-strict/hosts/carol/etc/ipsec.conf | 23 ++++++ .../ikev1/crl-strict/hosts/moon/etc/ipsec.conf | 34 +++++++++ testing/tests/ikev1/crl-strict/posttest.dat | 2 + testing/tests/ikev1/crl-strict/pretest.dat | 4 + testing/tests/ikev1/crl-strict/test.conf | 21 ++++++ testing/tests/ikev1/crl-to-cache/description.txt | 6 ++ testing/tests/ikev1/crl-to-cache/evaltest.dat | 4 + .../ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf | 23 ++++++ .../ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf | 22 ++++++ testing/tests/ikev1/crl-to-cache/posttest.dat | 4 + testing/tests/ikev1/crl-to-cache/pretest.dat | 4 + testing/tests/ikev1/crl-to-cache/test.conf | 21 ++++++ testing/tests/ikev1/default-keys/description.txt | 8 ++ testing/tests/ikev1/default-keys/evaltest.dat | 9 +++ .../ikev1/default-keys/hosts/carol/etc/ipsec.conf | 25 +++++++ .../default-keys/hosts/moon/etc/init.d/iptables | 78 +++++++++++++++++++ .../ikev1/default-keys/hosts/moon/etc/ipsec.conf | 26 +++++++ testing/tests/ikev1/default-keys/posttest.dat | 8 ++ testing/tests/ikev1/default-keys/pretest.dat | 18 +++++ testing/tests/ikev1/default-keys/test.conf | 21 ++++++ testing/tests/ikev1/double-nat-net/description.txt | 7 ++ testing/tests/ikev1/double-nat-net/evaltest.dat | 5 ++ .../double-nat-net/hosts/alice/etc/ipsec.conf | 24 ++++++ .../ikev1/double-nat-net/hosts/bob/etc/ipsec.conf | 24 ++++++ testing/tests/ikev1/double-nat-net/posttest.dat | 9 +++ testing/tests/ikev1/double-nat-net/pretest.dat | 15 ++++ testing/tests/ikev1/double-nat-net/test.conf | 21 ++++++ testing/tests/ikev1/double-nat/description.txt | 5 ++ testing/tests/ikev1/double-nat/evaltest.dat | 5 ++ .../ikev1/double-nat/hosts/alice/etc/ipsec.conf | 24 ++++++ testing/tests/ikev1/double-nat/posttest.dat | 8 ++ testing/tests/ikev1/double-nat/pretest.dat | 13 ++++ testing/tests/ikev1/double-nat/test.conf | 21 ++++++ testing/tests/ikev1/dpd-clear/description.txt | 5 ++ testing/tests/ikev1/dpd-clear/evaltest.dat | 7 ++ .../ikev1/dpd-clear/hosts/moon/etc/ipsec.conf | 29 +++++++ testing/tests/ikev1/dpd-clear/posttest.dat | 3 + testing/tests/ikev1/dpd-clear/pretest.dat | 4 + testing/tests/ikev1/dpd-clear/test.conf | 21 ++++++ .../tests/ikev1/esp-ah-transport/description.txt | 5 ++ testing/tests/ikev1/esp-ah-transport/evaltest.dat | 8 ++ .../hosts/carol/etc/init.d/iptables | 73 ++++++++++++++++++ .../esp-ah-transport/hosts/carol/etc/ipsec.conf | 27 +++++++ .../hosts/moon/etc/init.d/iptables | 76 +++++++++++++++++++ .../esp-ah-transport/hosts/moon/etc/ipsec.conf | 27 +++++++ testing/tests/ikev1/esp-ah-transport/posttest.dat | 4 + testing/tests/ikev1/esp-ah-transport/pretest.dat | 6 ++ testing/tests/ikev1/esp-ah-transport/test.conf | 22 ++++++ testing/tests/ikev1/esp-ah-tunnel/description.txt | 6 ++ testing/tests/ikev1/esp-ah-tunnel/evaltest.dat | 8 ++ .../esp-ah-tunnel/hosts/carol/etc/init.d/iptables | 73 ++++++++++++++++++ .../ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf | 27 +++++++ .../esp-ah-tunnel/hosts/moon/etc/init.d/iptables | 76 +++++++++++++++++++ .../ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf | 27 +++++++ testing/tests/ikev1/esp-ah-tunnel/posttest.dat | 4 + testing/tests/ikev1/esp-ah-tunnel/pretest.dat | 6 ++ testing/tests/ikev1/esp-ah-tunnel/test.conf | 22 ++++++ testing/tests/ikev1/esp-alg-des/description.txt | 5 ++ testing/tests/ikev1/esp-alg-des/evaltest.dat | 6 ++ .../ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/esp-alg-des/posttest.dat | 2 + testing/tests/ikev1/esp-alg-des/pretest.dat | 5 ++ testing/tests/ikev1/esp-alg-des/test.conf | 22 ++++++ testing/tests/ikev1/esp-alg-null/description.txt | 5 ++ testing/tests/ikev1/esp-alg-null/evaltest.dat | 5 ++ .../ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/esp-alg-null/posttest.dat | 2 + testing/tests/ikev1/esp-alg-null/pretest.dat | 5 ++ testing/tests/ikev1/esp-alg-null/test.conf | 22 ++++++ .../ikev1/esp-alg-strict-fail/description.txt | 5 ++ .../tests/ikev1/esp-alg-strict-fail/evaltest.dat | 9 +++ .../esp-alg-strict-fail/hosts/carol/etc/ipsec.conf | 24 ++++++ .../esp-alg-strict-fail/hosts/moon/etc/ipsec.conf | 25 +++++++ .../tests/ikev1/esp-alg-strict-fail/posttest.dat | 2 + .../tests/ikev1/esp-alg-strict-fail/pretest.dat | 4 + testing/tests/ikev1/esp-alg-strict-fail/test.conf | 21 ++++++ testing/tests/ikev1/esp-alg-strict/description.txt | 7 ++ testing/tests/ikev1/esp-alg-strict/evaltest.dat | 7 ++ .../esp-alg-strict/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/esp-alg-strict/posttest.dat | 2 + testing/tests/ikev1/esp-alg-strict/pretest.dat | 4 + testing/tests/ikev1/esp-alg-strict/test.conf | 22 ++++++ testing/tests/ikev1/esp-alg-weak/description.txt | 5 ++ testing/tests/ikev1/esp-alg-weak/evaltest.dat | 5 ++ .../ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf | 23 ++++++ testing/tests/ikev1/esp-alg-weak/posttest.dat | 2 + testing/tests/ikev1/esp-alg-weak/pretest.dat | 5 ++ testing/tests/ikev1/esp-alg-weak/test.conf | 22 ++++++ testing/tests/ikev1/host2host-cert/description.txt | 4 + testing/tests/ikev1/host2host-cert/evaltest.dat | 5 ++ testing/tests/ikev1/host2host-cert/posttest.dat | 4 + testing/tests/ikev1/host2host-cert/pretest.dat | 6 ++ testing/tests/ikev1/host2host-cert/test.conf | 21 ++++++ .../tests/ikev1/host2host-swapped/description.txt | 3 + testing/tests/ikev1/host2host-swapped/evaltest.dat | 5 ++ .../host2host-swapped/hosts/moon/etc/ipsec.conf | 23 ++++++ .../host2host-swapped/hosts/sun/etc/ipsec.conf | 24 ++++++ testing/tests/ikev1/host2host-swapped/posttest.dat | 4 + testing/tests/ikev1/host2host-swapped/pretest.dat | 6 ++ testing/tests/ikev1/host2host-swapped/test.conf | 21 ++++++ .../ikev1/host2host-transport/description.txt | 4 + .../tests/ikev1/host2host-transport/evaltest.dat | 5 ++ .../host2host-transport/hosts/moon/etc/ipsec.conf | 24 ++++++ .../host2host-transport/hosts/sun/etc/ipsec.conf | 25 +++++++ .../tests/ikev1/host2host-transport/posttest.dat | 4 + .../tests/ikev1/host2host-transport/pretest.dat | 6 ++ testing/tests/ikev1/host2host-transport/test.conf | 21 ++++++ .../tests/ikev1/ike-alg-sha2_384/description.txt | 4 + testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat | 8 ++ .../ike-alg-sha2_384/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ike-alg-sha2_384/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/ike-alg-sha2_384/posttest.dat | 2 + testing/tests/ikev1/ike-alg-sha2_384/pretest.dat | 5 ++ testing/tests/ikev1/ike-alg-sha2_384/test.conf | 22 ++++++ .../tests/ikev1/ike-alg-sha2_512/description.txt | 4 + testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat | 8 ++ .../ike-alg-sha2_512/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ike-alg-sha2_512/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/ike-alg-sha2_512/posttest.dat | 2 + testing/tests/ikev1/ike-alg-sha2_512/pretest.dat | 5 ++ testing/tests/ikev1/ike-alg-sha2_512/test.conf | 22 ++++++ .../ikev1/ike-alg-strict-fail/description.txt | 5 ++ .../tests/ikev1/ike-alg-strict-fail/evaltest.dat | 5 ++ .../ike-alg-strict-fail/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ike-alg-strict-fail/hosts/moon/etc/ipsec.conf | 25 +++++++ .../tests/ikev1/ike-alg-strict-fail/posttest.dat | 2 + .../tests/ikev1/ike-alg-strict-fail/pretest.dat | 4 + testing/tests/ikev1/ike-alg-strict-fail/test.conf | 21 ++++++ testing/tests/ikev1/ike-alg-strict/description.txt | 5 ++ testing/tests/ikev1/ike-alg-strict/evaltest.dat | 7 ++ .../ike-alg-strict/hosts/carol/etc/ipsec.conf | 24 ++++++ .../ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/ike-alg-strict/posttest.dat | 2 + testing/tests/ikev1/ike-alg-strict/pretest.dat | 4 + testing/tests/ikev1/ike-alg-strict/test.conf | 21 ++++++ .../tests/ikev1/mode-config-push/description.txt | 10 +++ testing/tests/ikev1/mode-config-push/evaltest.dat | 16 ++++ .../mode-config-push/hosts/carol/etc/ipsec.conf | 30 ++++++++ .../mode-config-push/hosts/dave/etc/ipsec.conf | 30 ++++++++ .../mode-config-push/hosts/moon/etc/ipsec.conf | 33 ++++++++ testing/tests/ikev1/mode-config-push/posttest.dat | 8 ++ testing/tests/ikev1/mode-config-push/pretest.dat | 10 +++ testing/tests/ikev1/mode-config-push/test.conf | 21 ++++++ .../ikev1/mode-config-swapped/description.txt | 3 + .../tests/ikev1/mode-config-swapped/evaltest.dat | 16 ++++ .../mode-config-swapped/hosts/carol/etc/ipsec.conf | 29 +++++++ .../mode-config-swapped/hosts/dave/etc/ipsec.conf | 29 +++++++ .../mode-config-swapped/hosts/moon/etc/ipsec.conf | 32 ++++++++ .../tests/ikev1/mode-config-swapped/posttest.dat | 8 ++ .../tests/ikev1/mode-config-swapped/pretest.dat | 9 +++ testing/tests/ikev1/mode-config-swapped/test.conf | 21 ++++++ testing/tests/ikev1/mode-config/description.txt | 7 ++ testing/tests/ikev1/mode-config/evaltest.dat | 16 ++++ .../ikev1/mode-config/hosts/carol/etc/ipsec.conf | 29 +++++++ .../ikev1/mode-config/hosts/dave/etc/ipsec.conf | 29 +++++++ .../ikev1/mode-config/hosts/moon/etc/ipsec.conf | 32 ++++++++ testing/tests/ikev1/mode-config/posttest.dat | 8 ++ testing/tests/ikev1/mode-config/pretest.dat | 10 +++ testing/tests/ikev1/mode-config/test.conf | 21 ++++++ .../ikev1/multi-level-ca-ldap/description.txt | 11 +++ .../tests/ikev1/multi-level-ca-ldap/evaltest.dat | 13 ++++ .../multi-level-ca-ldap/hosts/carol/etc/ipsec.conf | 31 ++++++++ .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 25 +++++++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 +++++++ .../hosts/carol/etc/ipsec.secrets | 3 + .../multi-level-ca-ldap/hosts/dave/etc/ipsec.conf | 31 ++++++++ .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 24 ++++++ .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 27 +++++++ .../hosts/moon/etc/init.d/iptables | 76 +++++++++++++++++++ .../multi-level-ca-ldap/hosts/moon/etc/ipsec.conf | 46 ++++++++++++ .../moon/etc/ipsec.d/cacerts/researchCert.pem | 23 ++++++ .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem | 22 ++++++ .../tests/ikev1/multi-level-ca-ldap/posttest.dat | 7 ++ .../tests/ikev1/multi-level-ca-ldap/pretest.dat | 10 +++ testing/tests/ikev1/multi-level-ca-ldap/test.conf | 21 ++++++ .../ikev1/multi-level-ca-loop/description.txt | 6 ++ .../tests/ikev1/multi-level-ca-loop/evaltest.dat | 3 + .../multi-level-ca-loop/hosts/carol/etc/ipsec.conf | 27 +++++++ .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 25 +++++++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 +++++++ .../hosts/carol/etc/ipsec.secrets | 3 + .../multi-level-ca-loop/hosts/moon/etc/ipsec.conf | 23 ++++++ .../etc/ipsec.d/cacerts/research_by_salesCert.pem | 24 ++++++ .../etc/ipsec.d/cacerts/sales_by_researchCert.pem | 24 ++++++ .../tests/ikev1/multi-level-ca-loop/posttest.dat | 4 + .../tests/ikev1/multi-level-ca-loop/pretest.dat | 6 ++ testing/tests/ikev1/multi-level-ca-loop/test.conf | 21 ++++++ .../ikev1/multi-level-ca-revoked/description.txt | 4 + .../ikev1/multi-level-ca-revoked/evaltest.dat | 6 ++ .../hosts/carol/etc/ipsec.conf | 23 ++++++ .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 25 +++++++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 +++++++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/moon/etc/ipsec.conf | 28 +++++++ .../moon/etc/ipsec.d/cacerts/researchCert.pem | 23 ++++++ .../ikev1/multi-level-ca-revoked/posttest.dat | 3 + .../tests/ikev1/multi-level-ca-revoked/pretest.dat | 4 + .../tests/ikev1/multi-level-ca-revoked/test.conf | 21 ++++++ .../ikev1/multi-level-ca-strict/description.txt | 10 +++ .../tests/ikev1/multi-level-ca-strict/evaltest.dat | 12 +++ .../hosts/carol/etc/ipsec.conf | 31 ++++++++ .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 25 +++++++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 +++++++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/dave/etc/ipsec.conf | 31 ++++++++ .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 24 ++++++ .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 27 +++++++ .../hosts/moon/etc/ipsec.conf | 35 +++++++++ .../moon/etc/ipsec.d/cacerts/researchCert.pem | 23 ++++++ .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem | 22 ++++++ .../tests/ikev1/multi-level-ca-strict/posttest.dat | 5 ++ .../tests/ikev1/multi-level-ca-strict/pretest.dat | 9 +++ .../tests/ikev1/multi-level-ca-strict/test.conf | 21 ++++++ testing/tests/ikev1/multi-level-ca/description.txt | 7 ++ testing/tests/ikev1/multi-level-ca/evaltest.dat | 12 +++ .../multi-level-ca/hosts/carol/etc/ipsec.conf | 32 ++++++++ .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 25 +++++++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 +++++++ .../multi-level-ca/hosts/carol/etc/ipsec.secrets | 3 + .../ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf | 32 ++++++++ .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 24 ++++++ .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 27 +++++++ .../ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf | 36 +++++++++ .../moon/etc/ipsec.d/cacerts/researchCert.pem | 23 ++++++ .../hosts/moon/etc/ipsec.d/cacerts/salesCert.pem | 22 ++++++ testing/tests/ikev1/multi-level-ca/posttest.dat | 5 ++ testing/tests/ikev1/multi-level-ca/pretest.dat | 9 +++ testing/tests/ikev1/multi-level-ca/test.conf | 21 ++++++ testing/tests/ikev1/nat-before-esp/description.txt | 6 ++ testing/tests/ikev1/nat-before-esp/evaltest.dat | 9 +++ .../nat-before-esp/hosts/moon/etc/init.d/iptables | 83 +++++++++++++++++++++ .../ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf | 24 ++++++ .../ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf | 23 ++++++ testing/tests/ikev1/nat-before-esp/posttest.dat | 5 ++ testing/tests/ikev1/nat-before-esp/pretest.dat | 6 ++ testing/tests/ikev1/nat-before-esp/test.conf | 21 ++++++ testing/tests/ikev1/nat-one-rw/description.txt | 5 ++ testing/tests/ikev1/nat-one-rw/evaltest.dat | 5 ++ testing/tests/ikev1/nat-one-rw/posttest.dat | 6 ++ testing/tests/ikev1/nat-one-rw/pretest.dat | 10 +++ testing/tests/ikev1/nat-one-rw/test.conf | 21 ++++++ testing/tests/ikev1/nat-two-rw-psk/description.txt | 6 ++ testing/tests/ikev1/nat-two-rw-psk/evaltest.dat | 9 +++ .../nat-two-rw-psk/hosts/alice/etc/ipsec.conf | 20 +++++ .../nat-two-rw-psk/hosts/alice/etc/ipsec.secrets | 3 + .../ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf | 22 ++++++ .../nat-two-rw-psk/hosts/sun/etc/ipsec.secrets | 3 + .../nat-two-rw-psk/hosts/venus/etc/ipsec.conf | 20 +++++ .../nat-two-rw-psk/hosts/venus/etc/ipsec.secrets | 3 + testing/tests/ikev1/nat-two-rw-psk/posttest.dat | 8 ++ testing/tests/ikev1/nat-two-rw-psk/pretest.dat | 16 ++++ testing/tests/ikev1/nat-two-rw-psk/test.conf | 21 ++++++ testing/tests/ikev1/nat-two-rw/description.txt | 5 ++ testing/tests/ikev1/nat-two-rw/evaltest.dat | 9 +++ testing/tests/ikev1/nat-two-rw/posttest.dat | 8 ++ testing/tests/ikev1/nat-two-rw/pretest.dat | 13 ++++ testing/tests/ikev1/nat-two-rw/test.conf | 21 ++++++ testing/tests/ikev1/net2net-cert/description.txt | 6 ++ testing/tests/ikev1/net2net-cert/evaltest.dat | 5 ++ testing/tests/ikev1/net2net-cert/posttest.dat | 4 + testing/tests/ikev1/net2net-cert/pretest.dat | 6 ++ testing/tests/ikev1/net2net-cert/test.conf | 21 ++++++ testing/tests/ikev1/net2net-pgp/description.txt | 6 ++ testing/tests/ikev1/net2net-pgp/evaltest.dat | 5 ++ .../ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf | 23 ++++++ .../hosts/moon/etc/ipsec.d/certs/moonCert.asc | 15 ++++ .../hosts/moon/etc/ipsec.d/certs/sunCert.asc | 15 ++++ .../hosts/moon/etc/ipsec.d/private/moonKey.asc | 19 +++++ .../ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets | 3 + .../ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf | 23 ++++++ .../hosts/sun/etc/ipsec.d/certs/moonCert.asc | 15 ++++ .../hosts/sun/etc/ipsec.d/certs/sunCert.asc | 15 ++++ .../hosts/sun/etc/ipsec.d/private/sunKey.asc | 19 +++++ .../ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets | 3 + testing/tests/ikev1/net2net-pgp/posttest.dat | 8 ++ testing/tests/ikev1/net2net-pgp/pretest.dat | 8 ++ testing/tests/ikev1/net2net-pgp/test.conf | 21 ++++++ .../tests/ikev1/net2net-psk-fail/description.txt | 7 ++ testing/tests/ikev1/net2net-psk-fail/evaltest.dat | 6 ++ .../net2net-psk-fail/hosts/moon/etc/ipsec.conf | 22 ++++++ .../net2net-psk-fail/hosts/moon/etc/ipsec.secrets | 7 ++ .../net2net-psk-fail/hosts/sun/etc/ipsec.conf | 22 ++++++ .../net2net-psk-fail/hosts/sun/etc/ipsec.secrets | 7 ++ testing/tests/ikev1/net2net-psk-fail/posttest.dat | 2 + testing/tests/ikev1/net2net-psk-fail/pretest.dat | 6 ++ testing/tests/ikev1/net2net-psk-fail/test.conf | 21 ++++++ testing/tests/ikev1/net2net-psk/description.txt | 6 ++ testing/tests/ikev1/net2net-psk/evaltest.dat | 5 ++ .../ikev1/net2net-psk/hosts/moon/etc/ipsec.conf | 23 ++++++ .../ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets | 7 ++ .../ikev1/net2net-psk/hosts/sun/etc/ipsec.conf | 23 ++++++ .../ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets | 7 ++ testing/tests/ikev1/net2net-psk/posttest.dat | 4 + testing/tests/ikev1/net2net-psk/pretest.dat | 8 ++ testing/tests/ikev1/net2net-psk/test.conf | 21 ++++++ testing/tests/ikev1/net2net-route/description.txt | 9 +++ testing/tests/ikev1/net2net-route/evaltest.dat | 6 ++ .../ikev1/net2net-route/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/net2net-route/posttest.dat | 4 + testing/tests/ikev1/net2net-route/pretest.dat | 6 ++ testing/tests/ikev1/net2net-route/test.conf | 21 ++++++ testing/tests/ikev1/net2net-rsa/description.txt | 6 ++ testing/tests/ikev1/net2net-rsa/evaltest.dat | 5 ++ .../ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf | 24 ++++++ .../ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets | 17 +++++ .../ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf | 24 ++++++ .../ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets | 17 +++++ testing/tests/ikev1/net2net-rsa/posttest.dat | 4 + testing/tests/ikev1/net2net-rsa/pretest.dat | 8 ++ testing/tests/ikev1/net2net-rsa/test.conf | 21 ++++++ testing/tests/ikev1/net2net-start/description.txt | 8 ++ testing/tests/ikev1/net2net-start/evaltest.dat | 5 ++ .../ikev1/net2net-start/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/net2net-start/posttest.dat | 4 + testing/tests/ikev1/net2net-start/pretest.dat | 5 ++ testing/tests/ikev1/net2net-start/test.conf | 21 ++++++ testing/tests/ikev1/no-priv-key/description.txt | 4 + testing/tests/ikev1/no-priv-key/evaltest.dat | 4 + .../no-priv-key/hosts/carol/etc/ipsec.secrets | 3 + testing/tests/ikev1/no-priv-key/posttest.dat | 2 + testing/tests/ikev1/no-priv-key/pretest.dat | 4 + testing/tests/ikev1/no-priv-key/test.conf | 21 ++++++ testing/tests/ikev1/ocsp-revoked/description.txt | 7 ++ testing/tests/ikev1/ocsp-revoked/evaltest.dat | 6 ++ .../ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf | 28 +++++++ .../carol/etc/ipsec.d/certs/carolRevokedCert.pem | 25 +++++++ .../carol/etc/ipsec.d/private/carolRevokedKey.pem | 27 +++++++ .../ocsp-revoked/hosts/carol/etc/ipsec.secrets | 3 + .../ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf | 39 ++++++++++ testing/tests/ikev1/ocsp-revoked/posttest.dat | 4 + testing/tests/ikev1/ocsp-revoked/pretest.dat | 4 + testing/tests/ikev1/ocsp-revoked/test.conf | 21 ++++++ testing/tests/ikev1/ocsp-strict/description.txt | 6 ++ testing/tests/ikev1/ocsp-strict/evaltest.dat | 8 ++ .../ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf | 28 +++++++ .../ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf | 39 ++++++++++ testing/tests/ikev1/ocsp-strict/posttest.dat | 2 + testing/tests/ikev1/ocsp-strict/pretest.dat | 4 + testing/tests/ikev1/ocsp-strict/test.conf | 21 ++++++ testing/tests/ikev1/protoport-dual/description.txt | 6 ++ testing/tests/ikev1/protoport-dual/evaltest.dat | 7 ++ .../protoport-dual/hosts/carol/etc/ipsec.conf | 30 ++++++++ .../ikev1/protoport-dual/hosts/moon/etc/ipsec.conf | 30 ++++++++ testing/tests/ikev1/protoport-dual/posttest.dat | 4 + testing/tests/ikev1/protoport-dual/pretest.dat | 7 ++ testing/tests/ikev1/protoport-dual/test.conf | 21 ++++++ testing/tests/ikev1/protoport-pass/description.txt | 13 ++++ testing/tests/ikev1/protoport-pass/evaltest.dat | 7 ++ .../protoport-pass/hosts/carol/etc/ipsec.conf | 26 +++++++ .../ikev1/protoport-pass/hosts/moon/etc/ipsec.conf | 26 +++++++ testing/tests/ikev1/protoport-pass/posttest.dat | 4 + testing/tests/ikev1/protoport-pass/pretest.dat | 10 +++ testing/tests/ikev1/protoport-pass/test.conf | 21 ++++++ .../tests/ikev1/protoport-route/description.txt | 8 ++ testing/tests/ikev1/protoport-route/evaltest.dat | 8 ++ .../protoport-route/hosts/carol/etc/ipsec.conf | 30 ++++++++ .../protoport-route/hosts/moon/etc/ipsec.conf | 30 ++++++++ testing/tests/ikev1/protoport-route/posttest.dat | 4 + testing/tests/ikev1/protoport-route/pretest.dat | 6 ++ testing/tests/ikev1/protoport-route/test.conf | 21 ++++++ testing/tests/ikev1/req-pkcs10/description.txt | 11 +++ testing/tests/ikev1/req-pkcs10/evaltest.dat | 5 ++ .../ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf | 28 +++++++ .../ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets | 3 + .../req-pkcs10/hosts/carol/etc/scepclient.conf | 3 + .../ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets | 3 + .../req-pkcs10/hosts/moon/etc/scepclient.conf | 4 + .../req-pkcs10/hosts/winnetou/etc/openssl/yy.txt | 2 + testing/tests/ikev1/req-pkcs10/posttest.dat | 11 +++ testing/tests/ikev1/req-pkcs10/pretest.dat | 22 ++++++ testing/tests/ikev1/req-pkcs10/test.conf | 21 ++++++ testing/tests/ikev1/rw-cert/description.txt | 6 ++ testing/tests/ikev1/rw-cert/evaltest.dat | 5 ++ testing/tests/ikev1/rw-cert/posttest.dat | 4 + testing/tests/ikev1/rw-cert/pretest.dat | 6 ++ testing/tests/ikev1/rw-cert/test.conf | 21 ++++++ .../tests/ikev1/rw-psk-fqdn-named/description.txt | 11 +++ testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat | 5 ++ .../rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf | 22 ++++++ .../hosts/carol/etc/ipsec.secrets | 7 ++ .../rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf | 22 ++++++ .../rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets | 7 ++ testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat | 4 + testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat | 8 ++ testing/tests/ikev1/rw-psk-fqdn-named/test.conf | 21 ++++++ testing/tests/ikev1/rw-psk-fqdn/description.txt | 5 ++ testing/tests/ikev1/rw-psk-fqdn/evaltest.dat | 5 ++ .../ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf | 22 ++++++ .../rw-psk-fqdn/hosts/carol/etc/ipsec.secrets | 7 ++ .../ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf | 21 ++++++ .../ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets | 3 + testing/tests/ikev1/rw-psk-fqdn/posttest.dat | 4 + testing/tests/ikev1/rw-psk-fqdn/pretest.dat | 8 ++ testing/tests/ikev1/rw-psk-fqdn/test.conf | 21 ++++++ testing/tests/ikev1/rw-psk-ipv4/description.txt | 5 ++ testing/tests/ikev1/rw-psk-ipv4/evaltest.dat | 5 ++ .../ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf | 20 +++++ .../rw-psk-ipv4/hosts/carol/etc/ipsec.secrets | 7 ++ .../ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf | 20 +++++ .../ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets | 7 ++ testing/tests/ikev1/rw-psk-ipv4/posttest.dat | 4 + testing/tests/ikev1/rw-psk-ipv4/pretest.dat | 8 ++ testing/tests/ikev1/rw-psk-ipv4/test.conf | 21 ++++++ .../tests/ikev1/rw-psk-no-policy/description.txt | 3 + testing/tests/ikev1/rw-psk-no-policy/evaltest.dat | 5 ++ .../rw-psk-no-policy/hosts/carol/etc/ipsec.conf | 22 ++++++ .../rw-psk-no-policy/hosts/carol/etc/ipsec.secrets | 7 ++ .../rw-psk-no-policy/hosts/moon/etc/ipsec.conf | 21 ++++++ testing/tests/ikev1/rw-psk-no-policy/posttest.dat | 2 + testing/tests/ikev1/rw-psk-no-policy/pretest.dat | 5 ++ testing/tests/ikev1/rw-psk-no-policy/test.conf | 21 ++++++ .../tests/ikev1/rw-psk-rsa-mixed/description.txt | 5 ++ testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat | 7 ++ .../rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf | 23 ++++++ .../rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets | 7 ++ .../rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf | 26 +++++++ .../rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets | 5 ++ testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat | 3 + testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat | 7 ++ testing/tests/ikev1/rw-psk-rsa-mixed/test.conf | 21 ++++++ .../tests/ikev1/rw-rsa-no-policy/description.txt | 3 + testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat | 5 ++ .../rw-rsa-no-policy/hosts/moon/etc/ipsec.conf | 20 +++++ .../rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets | 3 + testing/tests/ikev1/rw-rsa-no-policy/posttest.dat | 2 + testing/tests/ikev1/rw-rsa-no-policy/pretest.dat | 5 ++ testing/tests/ikev1/rw-rsa-no-policy/test.conf | 21 ++++++ testing/tests/ikev1/self-signed/description.txt | 8 ++ testing/tests/ikev1/self-signed/evaltest.dat | 7 ++ .../ikev1/self-signed/hosts/carol/etc/ipsec.conf | 26 +++++++ .../self-signed/hosts/carol/etc/ipsec.secrets | 3 + .../self-signed/hosts/moon/etc/init.d/iptables | 78 +++++++++++++++++++ .../ikev1/self-signed/hosts/moon/etc/ipsec.conf | 27 +++++++ .../ikev1/self-signed/hosts/moon/etc/ipsec.secrets | 3 + .../self-signed/hosts/moon/etc/scepclient.conf | 6 ++ testing/tests/ikev1/self-signed/posttest.dat | 8 ++ testing/tests/ikev1/self-signed/pretest.dat | 17 +++++ testing/tests/ikev1/self-signed/test.conf | 21 ++++++ .../tests/ikev1/starter-also-loop/description.txt | 4 + testing/tests/ikev1/starter-also-loop/evaltest.dat | 3 + .../starter-also-loop/hosts/moon/etc/ipsec.conf | 47 ++++++++++++ testing/tests/ikev1/starter-also-loop/posttest.dat | 0 testing/tests/ikev1/starter-also-loop/pretest.dat | 2 + testing/tests/ikev1/starter-also-loop/test.conf | 21 ++++++ testing/tests/ikev1/starter-also/description.txt | 3 + testing/tests/ikev1/starter-also/evaltest.dat | 5 ++ .../ikev1/starter-also/hosts/moon/etc/ipsec.conf | 46 ++++++++++++ testing/tests/ikev1/starter-also/posttest.dat | 4 + testing/tests/ikev1/starter-also/pretest.dat | 6 ++ testing/tests/ikev1/starter-also/test.conf | 21 ++++++ .../tests/ikev1/starter-includes/description.txt | 6 ++ testing/tests/ikev1/starter-includes/evaltest.dat | 16 ++++ .../starter-includes/hosts/carol/etc/ipsec.conf | 29 +++++++ .../starter-includes/hosts/dave/etc/ipsec.conf | 29 +++++++ .../starter-includes/hosts/moon/etc/ipsec.conf | 9 +++ .../hosts/moon/etc/ipsec.connections | 12 +++ .../starter-includes/hosts/moon/etc/ipsec.host | 11 +++ .../hosts/moon/etc/ipsec.peers/ipsec.carol | 8 ++ .../hosts/moon/etc/ipsec.peers/ipsec.dave | 8 ++ testing/tests/ikev1/starter-includes/posttest.dat | 10 +++ testing/tests/ikev1/starter-includes/pretest.dat | 11 +++ testing/tests/ikev1/starter-includes/test.conf | 21 ++++++ testing/tests/ikev1/strong-certs/description.txt | 6 ++ testing/tests/ikev1/strong-certs/evaltest.dat | 10 +++ .../ikev1/strong-certs/hosts/carol/etc/ipsec.conf | 24 ++++++ .../carol/etc/ipsec.d/certs/carolCert-sha384.pem | 25 +++++++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 +++++++ .../strong-certs/hosts/carol/etc/ipsec.secrets | 3 + .../ikev1/strong-certs/hosts/dave/etc/ipsec.conf | 24 ++++++ .../dave/etc/ipsec.d/certs/daveCert-sha512.pem | 25 +++++++ .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 27 +++++++ .../strong-certs/hosts/dave/etc/ipsec.secrets | 3 + .../ikev1/strong-certs/hosts/moon/etc/ipsec.conf | 23 ++++++ .../moon/etc/ipsec.d/certs/moonCert-sha256.pem | 25 +++++++ .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 +++++++ .../strong-certs/hosts/moon/etc/ipsec.secrets | 3 + testing/tests/ikev1/strong-certs/posttest.dat | 12 +++ testing/tests/ikev1/strong-certs/pretest.dat | 10 +++ testing/tests/ikev1/strong-certs/test.conf | 21 ++++++ .../tests/ikev1/virtual-ip-swapped/description.txt | 3 + .../tests/ikev1/virtual-ip-swapped/evaltest.dat | 9 +++ .../virtual-ip-swapped/hosts/carol/etc/ipsec.conf | 29 +++++++ .../virtual-ip-swapped/hosts/moon/etc/ipsec.conf | 25 +++++++ .../tests/ikev1/virtual-ip-swapped/posttest.dat | 5 ++ testing/tests/ikev1/virtual-ip-swapped/pretest.dat | 6 ++ testing/tests/ikev1/virtual-ip-swapped/test.conf | 21 ++++++ testing/tests/ikev1/virtual-ip/description.txt | 8 ++ testing/tests/ikev1/virtual-ip/evaltest.dat | 9 +++ .../ikev1/virtual-ip/hosts/carol/etc/ipsec.conf | 29 +++++++ .../ikev1/virtual-ip/hosts/moon/etc/ipsec.conf | 25 +++++++ testing/tests/ikev1/virtual-ip/posttest.dat | 5 ++ testing/tests/ikev1/virtual-ip/pretest.dat | 7 ++ testing/tests/ikev1/virtual-ip/test.conf | 21 ++++++ testing/tests/ikev1/wildcards/description.txt | 8 ++ testing/tests/ikev1/wildcards/evaltest.dat | 8 ++ .../ikev1/wildcards/hosts/carol/etc/ipsec.conf | 31 ++++++++ .../ikev1/wildcards/hosts/dave/etc/ipsec.conf | 31 ++++++++ .../ikev1/wildcards/hosts/moon/etc/ipsec.conf | 29 +++++++ testing/tests/ikev1/wildcards/posttest.dat | 3 + testing/tests/ikev1/wildcards/pretest.dat | 9 +++ testing/tests/ikev1/wildcards/test.conf | 21 ++++++ testing/tests/ikev1/wlan/description.txt | 15 ++++ testing/tests/ikev1/wlan/evaltest.dat | 11 +++ .../ikev1/wlan/hosts/alice/etc/init.d/iptables | 73 ++++++++++++++++++ .../tests/ikev1/wlan/hosts/alice/etc/ipsec.conf | 36 +++++++++ .../ikev1/wlan/hosts/moon/etc/init.d/iptables | 82 ++++++++++++++++++++ testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf | 36 +++++++++ .../ikev1/wlan/hosts/venus/etc/init.d/iptables | 73 ++++++++++++++++++ .../tests/ikev1/wlan/hosts/venus/etc/ipsec.conf | 36 +++++++++ testing/tests/ikev1/wlan/posttest.dat | 8 ++ testing/tests/ikev1/wlan/pretest.dat | 11 +++ testing/tests/ikev1/wlan/test.conf | 21 ++++++ .../ikev1/xauth-psk-mode-config/description.txt | 11 +++ .../tests/ikev1/xauth-psk-mode-config/evaltest.dat | 18 +++++ .../hosts/carol/etc/ipsec.conf | 25 +++++++ .../hosts/carol/etc/ipsec.secrets | 5 ++ .../hosts/dave/etc/ipsec.conf | 25 +++++++ .../hosts/dave/etc/ipsec.secrets | 5 ++ .../hosts/moon/etc/ipsec.conf | 30 ++++++++ .../hosts/moon/etc/ipsec.secrets | 7 ++ .../tests/ikev1/xauth-psk-mode-config/posttest.dat | 8 ++ .../tests/ikev1/xauth-psk-mode-config/pretest.dat | 12 +++ .../tests/ikev1/xauth-psk-mode-config/test.conf | 21 ++++++ testing/tests/ikev1/xauth-psk/description.txt | 9 +++ testing/tests/ikev1/xauth-psk/evaltest.dat | 12 +++ .../ikev1/xauth-psk/hosts/carol/etc/ipsec.conf | 22 ++++++ .../ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets | 5 ++ .../ikev1/xauth-psk/hosts/dave/etc/ipsec.conf | 22 ++++++ .../ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets | 5 ++ .../ikev1/xauth-psk/hosts/moon/etc/ipsec.conf | 23 ++++++ .../ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets | 7 ++ testing/tests/ikev1/xauth-psk/posttest.dat | 6 ++ testing/tests/ikev1/xauth-psk/pretest.dat | 12 +++ testing/tests/ikev1/xauth-psk/test.conf | 21 ++++++ testing/tests/ikev1/xauth-rsa-fail/description.txt | 5 ++ testing/tests/ikev1/xauth-rsa-fail/evaltest.dat | 4 + .../xauth-rsa-fail/hosts/carol/etc/ipsec.conf | 25 +++++++ .../xauth-rsa-fail/hosts/carol/etc/ipsec.secrets | 5 ++ .../ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf | 25 +++++++ .../xauth-rsa-fail/hosts/moon/etc/ipsec.secrets | 5 ++ testing/tests/ikev1/xauth-rsa-fail/posttest.dat | 2 + testing/tests/ikev1/xauth-rsa-fail/pretest.dat | 4 + testing/tests/ikev1/xauth-rsa-fail/test.conf | 21 ++++++ .../ikev1/xauth-rsa-mode-config/description.txt | 11 +++ .../tests/ikev1/xauth-rsa-mode-config/evaltest.dat | 18 +++++ .../hosts/carol/etc/ipsec.conf | 26 +++++++ .../hosts/carol/etc/ipsec.secrets | 5 ++ .../hosts/dave/etc/ipsec.conf | 26 +++++++ .../hosts/dave/etc/ipsec.secrets | 5 ++ .../hosts/moon/etc/ipsec.conf | 31 ++++++++ .../hosts/moon/etc/ipsec.secrets | 7 ++ .../tests/ikev1/xauth-rsa-mode-config/posttest.dat | 8 ++ .../tests/ikev1/xauth-rsa-mode-config/pretest.dat | 9 +++ .../tests/ikev1/xauth-rsa-mode-config/test.conf | 21 ++++++ .../tests/ikev1/xauth-rsa-nosecret/description.txt | 6 ++ .../tests/ikev1/xauth-rsa-nosecret/evaltest.dat | 4 + .../xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf | 25 +++++++ .../hosts/carol/etc/ipsec.secrets | 3 + .../xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf | 25 +++++++ .../hosts/moon/etc/ipsec.secrets | 5 ++ .../tests/ikev1/xauth-rsa-nosecret/posttest.dat | 2 + testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat | 4 + testing/tests/ikev1/xauth-rsa-nosecret/test.conf | 21 ++++++ testing/tests/ikev1/xauth-rsa/description.txt | 9 +++ testing/tests/ikev1/xauth-rsa/evaltest.dat | 12 +++ .../ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf | 25 +++++++ .../ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets | 5 ++ .../ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf | 25 +++++++ .../ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets | 5 ++ .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf | 25 +++++++ .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets | 7 ++ testing/tests/ikev1/xauth-rsa/posttest.dat | 6 ++ testing/tests/ikev1/xauth-rsa/pretest.dat | 9 +++ testing/tests/ikev1/xauth-rsa/test.conf | 21 ++++++ 663 files changed, 10153 insertions(+) create mode 100644 testing/tests/ikev1/alg-blowfish/description.txt create mode 100644 testing/tests/ikev1/alg-blowfish/evaltest.dat create mode 100755 testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/alg-blowfish/posttest.dat create mode 100644 testing/tests/ikev1/alg-blowfish/pretest.dat create mode 100644 testing/tests/ikev1/alg-blowfish/test.conf create mode 100644 testing/tests/ikev1/alg-serpent/description.txt create mode 100644 testing/tests/ikev1/alg-serpent/evaltest.dat create mode 100755 testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/alg-serpent/posttest.dat create mode 100644 testing/tests/ikev1/alg-serpent/pretest.dat create mode 100644 testing/tests/ikev1/alg-serpent/test.conf create mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/description.txt create mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat create mode 100755 testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat create mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat create mode 100644 testing/tests/ikev1/alg-sha-equals-sha1/test.conf create mode 100644 testing/tests/ikev1/alg-sha2_256/description.txt create mode 100644 testing/tests/ikev1/alg-sha2_256/evaltest.dat create mode 100755 testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/alg-sha2_256/posttest.dat create mode 100644 testing/tests/ikev1/alg-sha2_256/pretest.dat create mode 100644 testing/tests/ikev1/alg-sha2_256/test.conf create mode 100644 testing/tests/ikev1/alg-twofish/description.txt create mode 100644 testing/tests/ikev1/alg-twofish/evaltest.dat create mode 100755 testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/alg-twofish/posttest.dat create mode 100644 testing/tests/ikev1/alg-twofish/pretest.dat create mode 100644 testing/tests/ikev1/alg-twofish/test.conf create mode 100644 testing/tests/ikev1/attr-cert/description.txt create mode 100644 testing/tests/ikev1/attr-cert/evaltest.dat create mode 100755 testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem create mode 100644 testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem create mode 100644 testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem create mode 100644 testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem create mode 100644 testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf create mode 100644 testing/tests/ikev1/attr-cert/posttest.dat create mode 100644 testing/tests/ikev1/attr-cert/pretest.dat create mode 100644 testing/tests/ikev1/attr-cert/test.conf create mode 100644 testing/tests/ikev1/compress/description.txt create mode 100644 testing/tests/ikev1/compress/evaltest.dat create mode 100755 testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/compress/posttest.dat create mode 100644 testing/tests/ikev1/compress/pretest.dat create mode 100644 testing/tests/ikev1/compress/test.conf create mode 100644 testing/tests/ikev1/crl-from-cache/description.txt create mode 100644 testing/tests/ikev1/crl-from-cache/evaltest.dat create mode 100755 testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/crl-from-cache/posttest.dat create mode 100644 testing/tests/ikev1/crl-from-cache/pretest.dat create mode 100644 testing/tests/ikev1/crl-from-cache/test.conf create mode 100644 testing/tests/ikev1/crl-ldap/description.txt create mode 100644 testing/tests/ikev1/crl-ldap/evaltest.dat create mode 100755 testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables create mode 100755 testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl create mode 100755 testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl create mode 100644 testing/tests/ikev1/crl-ldap/posttest.dat create mode 100644 testing/tests/ikev1/crl-ldap/pretest.dat create mode 100644 testing/tests/ikev1/crl-ldap/test.conf create mode 100644 testing/tests/ikev1/crl-revoked/description.txt create mode 100644 testing/tests/ikev1/crl-revoked/evaltest.dat create mode 100755 testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem create mode 100644 testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem create mode 100644 testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/crl-revoked/posttest.dat create mode 100644 testing/tests/ikev1/crl-revoked/pretest.dat create mode 100644 testing/tests/ikev1/crl-revoked/test.conf create mode 100644 testing/tests/ikev1/crl-strict/description.txt create mode 100644 testing/tests/ikev1/crl-strict/evaltest.dat create mode 100755 testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/crl-strict/posttest.dat create mode 100644 testing/tests/ikev1/crl-strict/pretest.dat create mode 100644 testing/tests/ikev1/crl-strict/test.conf create mode 100644 testing/tests/ikev1/crl-to-cache/description.txt create mode 100644 testing/tests/ikev1/crl-to-cache/evaltest.dat create mode 100755 testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/crl-to-cache/posttest.dat create mode 100644 testing/tests/ikev1/crl-to-cache/pretest.dat create mode 100644 testing/tests/ikev1/crl-to-cache/test.conf create mode 100644 testing/tests/ikev1/default-keys/description.txt create mode 100644 testing/tests/ikev1/default-keys/evaltest.dat create mode 100755 testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/default-keys/posttest.dat create mode 100644 testing/tests/ikev1/default-keys/pretest.dat create mode 100644 testing/tests/ikev1/default-keys/test.conf create mode 100644 testing/tests/ikev1/double-nat-net/description.txt create mode 100644 testing/tests/ikev1/double-nat-net/evaltest.dat create mode 100755 testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf create mode 100755 testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf create mode 100644 testing/tests/ikev1/double-nat-net/posttest.dat create mode 100644 testing/tests/ikev1/double-nat-net/pretest.dat create mode 100644 testing/tests/ikev1/double-nat-net/test.conf create mode 100644 testing/tests/ikev1/double-nat/description.txt create mode 100644 testing/tests/ikev1/double-nat/evaltest.dat create mode 100755 testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev1/double-nat/posttest.dat create mode 100644 testing/tests/ikev1/double-nat/pretest.dat create mode 100644 testing/tests/ikev1/double-nat/test.conf create mode 100644 testing/tests/ikev1/dpd-clear/description.txt create mode 100644 testing/tests/ikev1/dpd-clear/evaltest.dat create mode 100755 testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/dpd-clear/posttest.dat create mode 100644 testing/tests/ikev1/dpd-clear/pretest.dat create mode 100644 testing/tests/ikev1/dpd-clear/test.conf create mode 100644 testing/tests/ikev1/esp-ah-transport/description.txt create mode 100644 testing/tests/ikev1/esp-ah-transport/evaltest.dat create mode 100755 testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables create mode 100755 testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-ah-transport/posttest.dat create mode 100644 testing/tests/ikev1/esp-ah-transport/pretest.dat create mode 100644 testing/tests/ikev1/esp-ah-transport/test.conf create mode 100644 testing/tests/ikev1/esp-ah-tunnel/description.txt create mode 100644 testing/tests/ikev1/esp-ah-tunnel/evaltest.dat create mode 100755 testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables create mode 100755 testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-ah-tunnel/posttest.dat create mode 100644 testing/tests/ikev1/esp-ah-tunnel/pretest.dat create mode 100644 testing/tests/ikev1/esp-ah-tunnel/test.conf create mode 100644 testing/tests/ikev1/esp-alg-des/description.txt create mode 100644 testing/tests/ikev1/esp-alg-des/evaltest.dat create mode 100755 testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-alg-des/posttest.dat create mode 100644 testing/tests/ikev1/esp-alg-des/pretest.dat create mode 100644 testing/tests/ikev1/esp-alg-des/test.conf create mode 100644 testing/tests/ikev1/esp-alg-null/description.txt create mode 100644 testing/tests/ikev1/esp-alg-null/evaltest.dat create mode 100755 testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-alg-null/posttest.dat create mode 100644 testing/tests/ikev1/esp-alg-null/pretest.dat create mode 100644 testing/tests/ikev1/esp-alg-null/test.conf create mode 100644 testing/tests/ikev1/esp-alg-strict-fail/description.txt create mode 100644 testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat create mode 100755 testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-alg-strict-fail/posttest.dat create mode 100644 testing/tests/ikev1/esp-alg-strict-fail/pretest.dat create mode 100644 testing/tests/ikev1/esp-alg-strict-fail/test.conf create mode 100644 testing/tests/ikev1/esp-alg-strict/description.txt create mode 100644 testing/tests/ikev1/esp-alg-strict/evaltest.dat create mode 100755 testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-alg-strict/posttest.dat create mode 100644 testing/tests/ikev1/esp-alg-strict/pretest.dat create mode 100644 testing/tests/ikev1/esp-alg-strict/test.conf create mode 100644 testing/tests/ikev1/esp-alg-weak/description.txt create mode 100644 testing/tests/ikev1/esp-alg-weak/evaltest.dat create mode 100755 testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-alg-weak/posttest.dat create mode 100644 testing/tests/ikev1/esp-alg-weak/pretest.dat create mode 100644 testing/tests/ikev1/esp-alg-weak/test.conf create mode 100644 testing/tests/ikev1/host2host-cert/description.txt create mode 100644 testing/tests/ikev1/host2host-cert/evaltest.dat create mode 100644 testing/tests/ikev1/host2host-cert/posttest.dat create mode 100644 testing/tests/ikev1/host2host-cert/pretest.dat create mode 100644 testing/tests/ikev1/host2host-cert/test.conf create mode 100644 testing/tests/ikev1/host2host-swapped/description.txt create mode 100644 testing/tests/ikev1/host2host-swapped/evaltest.dat create mode 100755 testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/host2host-swapped/posttest.dat create mode 100644 testing/tests/ikev1/host2host-swapped/pretest.dat create mode 100644 testing/tests/ikev1/host2host-swapped/test.conf create mode 100644 testing/tests/ikev1/host2host-transport/description.txt create mode 100644 testing/tests/ikev1/host2host-transport/evaltest.dat create mode 100755 testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/host2host-transport/posttest.dat create mode 100644 testing/tests/ikev1/host2host-transport/pretest.dat create mode 100644 testing/tests/ikev1/host2host-transport/test.conf create mode 100644 testing/tests/ikev1/ike-alg-sha2_384/description.txt create mode 100644 testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat create mode 100755 testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/ike-alg-sha2_384/posttest.dat create mode 100644 testing/tests/ikev1/ike-alg-sha2_384/pretest.dat create mode 100644 testing/tests/ikev1/ike-alg-sha2_384/test.conf create mode 100644 testing/tests/ikev1/ike-alg-sha2_512/description.txt create mode 100644 testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat create mode 100755 testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/ike-alg-sha2_512/posttest.dat create mode 100644 testing/tests/ikev1/ike-alg-sha2_512/pretest.dat create mode 100644 testing/tests/ikev1/ike-alg-sha2_512/test.conf create mode 100644 testing/tests/ikev1/ike-alg-strict-fail/description.txt create mode 100644 testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat create mode 100755 testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/ike-alg-strict-fail/posttest.dat create mode 100644 testing/tests/ikev1/ike-alg-strict-fail/pretest.dat create mode 100644 testing/tests/ikev1/ike-alg-strict-fail/test.conf create mode 100644 testing/tests/ikev1/ike-alg-strict/description.txt create mode 100644 testing/tests/ikev1/ike-alg-strict/evaltest.dat create mode 100755 testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/ike-alg-strict/posttest.dat create mode 100644 testing/tests/ikev1/ike-alg-strict/pretest.dat create mode 100644 testing/tests/ikev1/ike-alg-strict/test.conf create mode 100644 testing/tests/ikev1/mode-config-push/description.txt create mode 100644 testing/tests/ikev1/mode-config-push/evaltest.dat create mode 100755 testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/mode-config-push/posttest.dat create mode 100644 testing/tests/ikev1/mode-config-push/pretest.dat create mode 100644 testing/tests/ikev1/mode-config-push/test.conf create mode 100644 testing/tests/ikev1/mode-config-swapped/description.txt create mode 100644 testing/tests/ikev1/mode-config-swapped/evaltest.dat create mode 100755 testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/mode-config-swapped/posttest.dat create mode 100644 testing/tests/ikev1/mode-config-swapped/pretest.dat create mode 100644 testing/tests/ikev1/mode-config-swapped/test.conf create mode 100644 testing/tests/ikev1/mode-config/description.txt create mode 100644 testing/tests/ikev1/mode-config/evaltest.dat create mode 100755 testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/mode-config/posttest.dat create mode 100644 testing/tests/ikev1/mode-config/pretest.dat create mode 100644 testing/tests/ikev1/mode-config/test.conf create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/description.txt create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat create mode 100755 testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem create mode 100755 testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/posttest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/pretest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-ldap/test.conf create mode 100644 testing/tests/ikev1/multi-level-ca-loop/description.txt create mode 100644 testing/tests/ikev1/multi-level-ca-loop/evaltest.dat create mode 100755 testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-loop/posttest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-loop/pretest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-loop/test.conf create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/description.txt create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat create mode 100755 testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/posttest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/pretest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-revoked/test.conf create mode 100644 testing/tests/ikev1/multi-level-ca-strict/description.txt create mode 100644 testing/tests/ikev1/multi-level-ca-strict/evaltest.dat create mode 100755 testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem create mode 100755 testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca-strict/posttest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-strict/pretest.dat create mode 100644 testing/tests/ikev1/multi-level-ca-strict/test.conf create mode 100644 testing/tests/ikev1/multi-level-ca/description.txt create mode 100644 testing/tests/ikev1/multi-level-ca/evaltest.dat create mode 100755 testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem create mode 100755 testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem create mode 100644 testing/tests/ikev1/multi-level-ca/posttest.dat create mode 100644 testing/tests/ikev1/multi-level-ca/pretest.dat create mode 100644 testing/tests/ikev1/multi-level-ca/test.conf create mode 100644 testing/tests/ikev1/nat-before-esp/description.txt create mode 100644 testing/tests/ikev1/nat-before-esp/evaltest.dat create mode 100755 testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/nat-before-esp/posttest.dat create mode 100644 testing/tests/ikev1/nat-before-esp/pretest.dat create mode 100644 testing/tests/ikev1/nat-before-esp/test.conf create mode 100644 testing/tests/ikev1/nat-one-rw/description.txt create mode 100644 testing/tests/ikev1/nat-one-rw/evaltest.dat create mode 100644 testing/tests/ikev1/nat-one-rw/posttest.dat create mode 100644 testing/tests/ikev1/nat-one-rw/pretest.dat create mode 100644 testing/tests/ikev1/nat-one-rw/test.conf create mode 100644 testing/tests/ikev1/nat-two-rw-psk/description.txt create mode 100644 testing/tests/ikev1/nat-two-rw-psk/evaltest.dat create mode 100755 testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/nat-two-rw-psk/posttest.dat create mode 100644 testing/tests/ikev1/nat-two-rw-psk/pretest.dat create mode 100644 testing/tests/ikev1/nat-two-rw-psk/test.conf create mode 100644 testing/tests/ikev1/nat-two-rw/description.txt create mode 100644 testing/tests/ikev1/nat-two-rw/evaltest.dat create mode 100644 testing/tests/ikev1/nat-two-rw/posttest.dat create mode 100644 testing/tests/ikev1/nat-two-rw/pretest.dat create mode 100644 testing/tests/ikev1/nat-two-rw/test.conf create mode 100644 testing/tests/ikev1/net2net-cert/description.txt create mode 100644 testing/tests/ikev1/net2net-cert/evaltest.dat create mode 100644 testing/tests/ikev1/net2net-cert/posttest.dat create mode 100644 testing/tests/ikev1/net2net-cert/pretest.dat create mode 100644 testing/tests/ikev1/net2net-cert/test.conf create mode 100644 testing/tests/ikev1/net2net-pgp/description.txt create mode 100644 testing/tests/ikev1/net2net-pgp/evaltest.dat create mode 100755 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc create mode 100644 testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/net2net-pgp/posttest.dat create mode 100644 testing/tests/ikev1/net2net-pgp/pretest.dat create mode 100644 testing/tests/ikev1/net2net-pgp/test.conf create mode 100644 testing/tests/ikev1/net2net-psk-fail/description.txt create mode 100644 testing/tests/ikev1/net2net-psk-fail/evaltest.dat create mode 100755 testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/net2net-psk-fail/posttest.dat create mode 100644 testing/tests/ikev1/net2net-psk-fail/pretest.dat create mode 100644 testing/tests/ikev1/net2net-psk-fail/test.conf create mode 100644 testing/tests/ikev1/net2net-psk/description.txt create mode 100644 testing/tests/ikev1/net2net-psk/evaltest.dat create mode 100755 testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/net2net-psk/posttest.dat create mode 100644 testing/tests/ikev1/net2net-psk/pretest.dat create mode 100644 testing/tests/ikev1/net2net-psk/test.conf create mode 100644 testing/tests/ikev1/net2net-route/description.txt create mode 100644 testing/tests/ikev1/net2net-route/evaltest.dat create mode 100755 testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-route/posttest.dat create mode 100644 testing/tests/ikev1/net2net-route/pretest.dat create mode 100644 testing/tests/ikev1/net2net-route/test.conf create mode 100644 testing/tests/ikev1/net2net-rsa/description.txt create mode 100644 testing/tests/ikev1/net2net-rsa/evaltest.dat create mode 100755 testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/net2net-rsa/posttest.dat create mode 100644 testing/tests/ikev1/net2net-rsa/pretest.dat create mode 100644 testing/tests/ikev1/net2net-rsa/test.conf create mode 100644 testing/tests/ikev1/net2net-start/description.txt create mode 100644 testing/tests/ikev1/net2net-start/evaltest.dat create mode 100755 testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/net2net-start/posttest.dat create mode 100644 testing/tests/ikev1/net2net-start/pretest.dat create mode 100644 testing/tests/ikev1/net2net-start/test.conf create mode 100644 testing/tests/ikev1/no-priv-key/description.txt create mode 100644 testing/tests/ikev1/no-priv-key/evaltest.dat create mode 100644 testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/no-priv-key/posttest.dat create mode 100644 testing/tests/ikev1/no-priv-key/pretest.dat create mode 100644 testing/tests/ikev1/no-priv-key/test.conf create mode 100644 testing/tests/ikev1/ocsp-revoked/description.txt create mode 100644 testing/tests/ikev1/ocsp-revoked/evaltest.dat create mode 100755 testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem create mode 100644 testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem create mode 100644 testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/ocsp-revoked/posttest.dat create mode 100644 testing/tests/ikev1/ocsp-revoked/pretest.dat create mode 100644 testing/tests/ikev1/ocsp-revoked/test.conf create mode 100644 testing/tests/ikev1/ocsp-strict/description.txt create mode 100644 testing/tests/ikev1/ocsp-strict/evaltest.dat create mode 100755 testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/ocsp-strict/posttest.dat create mode 100644 testing/tests/ikev1/ocsp-strict/pretest.dat create mode 100644 testing/tests/ikev1/ocsp-strict/test.conf create mode 100644 testing/tests/ikev1/protoport-dual/description.txt create mode 100644 testing/tests/ikev1/protoport-dual/evaltest.dat create mode 100755 testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/protoport-dual/posttest.dat create mode 100644 testing/tests/ikev1/protoport-dual/pretest.dat create mode 100644 testing/tests/ikev1/protoport-dual/test.conf create mode 100644 testing/tests/ikev1/protoport-pass/description.txt create mode 100644 testing/tests/ikev1/protoport-pass/evaltest.dat create mode 100755 testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/protoport-pass/posttest.dat create mode 100644 testing/tests/ikev1/protoport-pass/pretest.dat create mode 100644 testing/tests/ikev1/protoport-pass/test.conf create mode 100644 testing/tests/ikev1/protoport-route/description.txt create mode 100644 testing/tests/ikev1/protoport-route/evaltest.dat create mode 100755 testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/protoport-route/posttest.dat create mode 100644 testing/tests/ikev1/protoport-route/pretest.dat create mode 100644 testing/tests/ikev1/protoport-route/test.conf create mode 100644 testing/tests/ikev1/req-pkcs10/description.txt create mode 100644 testing/tests/ikev1/req-pkcs10/evaltest.dat create mode 100755 testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf create mode 100644 testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf create mode 100644 testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt create mode 100644 testing/tests/ikev1/req-pkcs10/posttest.dat create mode 100644 testing/tests/ikev1/req-pkcs10/pretest.dat create mode 100644 testing/tests/ikev1/req-pkcs10/test.conf create mode 100644 testing/tests/ikev1/rw-cert/description.txt create mode 100644 testing/tests/ikev1/rw-cert/evaltest.dat create mode 100644 testing/tests/ikev1/rw-cert/posttest.dat create mode 100644 testing/tests/ikev1/rw-cert/pretest.dat create mode 100644 testing/tests/ikev1/rw-cert/test.conf create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/description.txt create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat create mode 100755 testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat create mode 100644 testing/tests/ikev1/rw-psk-fqdn-named/test.conf create mode 100644 testing/tests/ikev1/rw-psk-fqdn/description.txt create mode 100644 testing/tests/ikev1/rw-psk-fqdn/evaltest.dat create mode 100755 testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-psk-fqdn/posttest.dat create mode 100644 testing/tests/ikev1/rw-psk-fqdn/pretest.dat create mode 100644 testing/tests/ikev1/rw-psk-fqdn/test.conf create mode 100644 testing/tests/ikev1/rw-psk-ipv4/description.txt create mode 100644 testing/tests/ikev1/rw-psk-ipv4/evaltest.dat create mode 100755 testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-psk-ipv4/posttest.dat create mode 100644 testing/tests/ikev1/rw-psk-ipv4/pretest.dat create mode 100644 testing/tests/ikev1/rw-psk-ipv4/test.conf create mode 100644 testing/tests/ikev1/rw-psk-no-policy/description.txt create mode 100644 testing/tests/ikev1/rw-psk-no-policy/evaltest.dat create mode 100755 testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-no-policy/posttest.dat create mode 100644 testing/tests/ikev1/rw-psk-no-policy/pretest.dat create mode 100644 testing/tests/ikev1/rw-psk-no-policy/test.conf create mode 100644 testing/tests/ikev1/rw-psk-rsa-mixed/description.txt create mode 100644 testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat create mode 100755 testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat create mode 100644 testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat create mode 100644 testing/tests/ikev1/rw-psk-rsa-mixed/test.conf create mode 100644 testing/tests/ikev1/rw-rsa-no-policy/description.txt create mode 100644 testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat create mode 100755 testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/rw-rsa-no-policy/posttest.dat create mode 100644 testing/tests/ikev1/rw-rsa-no-policy/pretest.dat create mode 100644 testing/tests/ikev1/rw-rsa-no-policy/test.conf create mode 100644 testing/tests/ikev1/self-signed/description.txt create mode 100644 testing/tests/ikev1/self-signed/evaltest.dat create mode 100755 testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf create mode 100644 testing/tests/ikev1/self-signed/posttest.dat create mode 100644 testing/tests/ikev1/self-signed/pretest.dat create mode 100644 testing/tests/ikev1/self-signed/test.conf create mode 100644 testing/tests/ikev1/starter-also-loop/description.txt create mode 100644 testing/tests/ikev1/starter-also-loop/evaltest.dat create mode 100755 testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/starter-also-loop/posttest.dat create mode 100644 testing/tests/ikev1/starter-also-loop/pretest.dat create mode 100644 testing/tests/ikev1/starter-also-loop/test.conf create mode 100644 testing/tests/ikev1/starter-also/description.txt create mode 100644 testing/tests/ikev1/starter-also/evaltest.dat create mode 100755 testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/starter-also/posttest.dat create mode 100644 testing/tests/ikev1/starter-also/pretest.dat create mode 100644 testing/tests/ikev1/starter-also/test.conf create mode 100644 testing/tests/ikev1/starter-includes/description.txt create mode 100644 testing/tests/ikev1/starter-includes/evaltest.dat create mode 100755 testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections create mode 100755 testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host create mode 100644 testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol create mode 100644 testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave create mode 100644 testing/tests/ikev1/starter-includes/posttest.dat create mode 100644 testing/tests/ikev1/starter-includes/pretest.dat create mode 100644 testing/tests/ikev1/starter-includes/test.conf create mode 100644 testing/tests/ikev1/strong-certs/description.txt create mode 100644 testing/tests/ikev1/strong-certs/evaltest.dat create mode 100755 testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem create mode 100644 testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem create mode 100644 testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem create mode 100644 testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem create mode 100644 testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/strong-certs/posttest.dat create mode 100644 testing/tests/ikev1/strong-certs/pretest.dat create mode 100644 testing/tests/ikev1/strong-certs/test.conf create mode 100644 testing/tests/ikev1/virtual-ip-swapped/description.txt create mode 100644 testing/tests/ikev1/virtual-ip-swapped/evaltest.dat create mode 100755 testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/virtual-ip-swapped/posttest.dat create mode 100644 testing/tests/ikev1/virtual-ip-swapped/pretest.dat create mode 100644 testing/tests/ikev1/virtual-ip-swapped/test.conf create mode 100644 testing/tests/ikev1/virtual-ip/description.txt create mode 100644 testing/tests/ikev1/virtual-ip/evaltest.dat create mode 100755 testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/virtual-ip/posttest.dat create mode 100644 testing/tests/ikev1/virtual-ip/pretest.dat create mode 100644 testing/tests/ikev1/virtual-ip/test.conf create mode 100644 testing/tests/ikev1/wildcards/description.txt create mode 100644 testing/tests/ikev1/wildcards/evaltest.dat create mode 100755 testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/wildcards/posttest.dat create mode 100644 testing/tests/ikev1/wildcards/pretest.dat create mode 100644 testing/tests/ikev1/wildcards/test.conf create mode 100644 testing/tests/ikev1/wlan/description.txt create mode 100644 testing/tests/ikev1/wlan/evaltest.dat create mode 100755 testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables create mode 100755 testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf create mode 100755 testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables create mode 100755 testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev1/wlan/posttest.dat create mode 100644 testing/tests/ikev1/wlan/pretest.dat create mode 100644 testing/tests/ikev1/wlan/test.conf create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/description.txt create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/posttest.dat create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/pretest.dat create mode 100644 testing/tests/ikev1/xauth-psk-mode-config/test.conf create mode 100644 testing/tests/ikev1/xauth-psk/description.txt create mode 100644 testing/tests/ikev1/xauth-psk/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-psk/posttest.dat create mode 100644 testing/tests/ikev1/xauth-psk/pretest.dat create mode 100644 testing/tests/ikev1/xauth-psk/test.conf create mode 100644 testing/tests/ikev1/xauth-rsa-fail/description.txt create mode 100644 testing/tests/ikev1/xauth-rsa-fail/evaltest.dat create mode 100755 testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa-fail/posttest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-fail/pretest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-fail/test.conf create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/description.txt create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/test.conf create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/description.txt create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat create mode 100755 testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/test.conf create mode 100644 testing/tests/ikev1/xauth-rsa/description.txt create mode 100644 testing/tests/ikev1/xauth-rsa/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-rsa/posttest.dat create mode 100644 testing/tests/ikev1/xauth-rsa/pretest.dat create mode 100644 testing/tests/ikev1/xauth-rsa/test.conf (limited to 'testing/tests/ikev1') diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt new file mode 100644 index 000000000..cff0a1915 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the strong cipher suite +BLOWFISH_CBC_256-SHA2_512-MODP4096 for the IKE protocol and +BLOWFISH_256-HMAC_SHA2_256 for ESP packets. A ping from carol to +alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat new file mode 100644 index 000000000..a9c9b803a --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..04d5b977b --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=blowfish256-sha2_512-modp4096! + esp=blowfish256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..80163ffcd --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=blowfish256-sha2_512-modp4096! + esp=blowfish256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/alg-serpent/description.txt b/testing/tests/ikev1/alg-serpent/description.txt new file mode 100644 index 000000000..f49c0a1c0 --- /dev/null +++ b/testing/tests/ikev1/alg-serpent/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the strong cipher suite +SERPENT_CBC_256-SHA2_512-MODP4096 for the IKE protocol and +SERPENT_256-HMAC_SHA2_256 for ESP packets. A ping from carol to +alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat new file mode 100644 index 000000000..6b792538b --- /dev/null +++ b/testing/tests/ikev1/alg-serpent/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..09cd583b4 --- /dev/null +++ b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=serpent256-sha2_512-modp4096! + esp=serpent256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ca1eb7b19 --- /dev/null +++ b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=serpent256-sha2_512-modp4096! + esp=serpent256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-serpent/posttest.dat b/testing/tests/ikev1/alg-serpent/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/alg-serpent/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/alg-serpent/pretest.dat b/testing/tests/ikev1/alg-serpent/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/ikev1/alg-serpent/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/alg-serpent/test.conf b/testing/tests/ikev1/alg-serpent/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/alg-serpent/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt new file mode 100644 index 000000000..aeb2e1a88 --- /dev/null +++ b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt @@ -0,0 +1,5 @@ +Roadwarrior carol proposes to gateway moon the syntactically +incorrect cipher suites ike=aes128-sha1-modp1536 for the +IKE protocol and esp=aes128-sha for ESP packets. Since sha and +sha1 are treated as synonyms the proposal is neverless correctly parsed. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat new file mode 100644 index 000000000..c3656c690 --- /dev/null +++ b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..7c1ee3bb5 --- /dev/null +++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes128-sha1-modp1536! + esp=aes128-sha! + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7d00b538f --- /dev/null +++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha1-modp1536! + esp=aes128-sha! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add + diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf b/testing/tests/ikev1/alg-sha-equals-sha1/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/alg-sha-equals-sha1/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt new file mode 100644 index 000000000..900fcf017 --- /dev/null +++ b/testing/tests/ikev1/alg-sha2_256/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the rather strong cipher suite +AES_CBC_128-SHA2_256-MODP1536 for the IKE protocol and +AES_128-HMAC_SHA2_256 for ESP packets. A ping from carol to +alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat new file mode 100644 index 000000000..9b4caa278 --- /dev/null +++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b10fb08b9 --- /dev/null +++ b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes128-sha2_256-modp1536! + esp=aes128-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..de832729b --- /dev/null +++ b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha2_256-modp1536! + esp=aes128-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-sha2_256/posttest.dat b/testing/tests/ikev1/alg-sha2_256/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/alg-sha2_256/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/alg-sha2_256/pretest.dat b/testing/tests/ikev1/alg-sha2_256/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/alg-sha2_256/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha2_256/test.conf b/testing/tests/ikev1/alg-sha2_256/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/alg-sha2_256/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/alg-twofish/description.txt b/testing/tests/ikev1/alg-twofish/description.txt new file mode 100644 index 000000000..0015561ee --- /dev/null +++ b/testing/tests/ikev1/alg-twofish/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the strong cipher suite +TWOFISH_CBC_256-SHA2_512-MODP4096 for the IKE protocol and +TWOFISH_256-HMAC_SHA2_256 for ESP packets. A ping from carol to +alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat new file mode 100644 index 000000000..0568eec6e --- /dev/null +++ b/testing/tests/ikev1/alg-twofish/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..95ddeb2b8 --- /dev/null +++ b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=twofish256-sha2_512-modp4096! + esp=twofish256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2d7904563 --- /dev/null +++ b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=twofish256-sha2_512-modp4096! + esp=twofish256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-twofish/posttest.dat b/testing/tests/ikev1/alg-twofish/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/alg-twofish/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/alg-twofish/pretest.dat b/testing/tests/ikev1/alg-twofish/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/alg-twofish/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/alg-twofish/test.conf b/testing/tests/ikev1/alg-twofish/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/alg-twofish/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/attr-cert/description.txt b/testing/tests/ikev1/attr-cert/description.txt new file mode 100644 index 000000000..b7f809c36 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/description.txt @@ -0,0 +1,7 @@ +The VPN gateway moon controls the access to the hosts alice and +venus by means of X.509 Attribute Certificates. Access to alice +is granted to members of the group 'Research' whereas venus can only +be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors +carol and dave belong to the groups 'Research' and 'Accounting', +respectively. Therefore carol can access alice and dave +can reach venus. \ No newline at end of file diff --git a/testing/tests/ikev1/attr-cert/evaltest.dat b/testing/tests/ikev1/attr-cert/evaltest.dat new file mode 100644 index 000000000..59f6eb76a --- /dev/null +++ b/testing/tests/ikev1/attr-cert/evaltest.dat @@ -0,0 +1,12 @@ +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::alice.*peer matches group 'Research'::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::venus.*peer doesn't match any group::YES +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::venus.*peer matches group 'Accounting'::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::alice.*peer doesn't match any group::YES +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..eae669641 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..989784124 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6c16db587 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightgroups=Research + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightgroups="Accounting, Sales" + auto=add + diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem new file mode 100644 index 000000000..3c5c5d91d --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv +cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI +wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6 +dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC +fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB +CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf +NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC +AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6 +5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq +Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh +QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry +b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg +CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR +aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY +ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw +YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v +Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov +wTLSA/z7c8nVCVoZI9Y= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem new file mode 100644 index 000000000..209b48f3a --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvYLOjgx2zonPXkNainoTFYjBa33NTxe7/+jDUXQp/1rgMuOj +yo76SbeDJsHI1BC/UutnV6r7zYbLhFhdTUWeELp1zxqhsOZRCRj/y5he1SZ68oXl +BxthyIMunTVbWrQM40CVz/3Ca8laG+Oz2K1Y4EJ8BRwfd5Q28yCRzuGVBOqt5lMf +jPInozngmJuROzJ9WD/XI5PjXNRTdv68j+v2Q0EJhynYOt2F3FfqYSJJPIMD84yW +C8JruQ+KdQvgUm1A4UGjMKwZwPbw40tzwBuSCB80AFcJyU9UBc5NrAkXd1FZwyEi +U0tbFYxVG8S3k6QAR3L+ZcYG+1UCuYaeYD7zNwIDAQABAoIBAQCCGgsz+dqWcIWs +cRD3gFcZsYkYAoWwhtrKFUIB6X3rkLfaN+16Yi3x7cpcES2OaPDwPCv2Q6warS+K +7B8hrWmWkmvOgrn+eB+p3z+8xh5UttYxKTrSZjn7LhQSWU8eNf2jBfPTlqKi3Ni/ +zNLrLhaV3w7Fc0knDtmqj/GJ1dQ4SrUpME3sREpWbGSzjJ2UsR7iqQiDsYwWHzK2 +nWWwzrSmpObhDR3jiyOwBy/DEjXRC7h0fUL8eBghJvLWgFgifI5Z36FXa0FasxQr +zKZnQdwuJHqQz7+sVjAmKtNd7x7RE5Ii0oQYiWDFr0OAwKD5UfMNydpcOVC/bV2n +SKWmguoBAoGBAO73MTPP9ne4cfC7t4k2+F9hkb7mAjAbk9GbTyZyEKSDKH2bL02W +G4kXdlkvZVgKhIDg8PCouRSQKv2IxubDrarFURb5KMJlyfBV1Q8JSxpVtxK69clq +yIu/AtiiBE/n11MdmdoJLr6l2nNStJummj2jw5OyN8sdJarf83rCy+ITAoGBAMsF +IfivZ+Tueavy0tGRb1qqKalIhwzLBRmWCna39bB9rK4eTNio5Oes95mC7t8mslmO +18enKUTO87svWLzo8NVYIKSqg5B+kIN44hROErlV6HHPVd5vJzZFjH7SSfy5y8Ka +wmsA1xiG6NEgEndc6F6uQ2YdaZAHWFO6CiTNpq7NAoGADXglb9QzAkCFO5p5F+Tf +TxEC1A3G5ctII7JrXbFkOsGh0KKkoezqFGocI57GSZYeLd1/9zCrbftKUQwamftB +mLSSg4b7wylVnpRX9AcEErHuJcIgBIBeWXIkyO0o7RAWVPsAJwgJeHmEvKdWwsc7 +PmoypeqPtoUoEF+bK7o7H70CgYAYlYaHlrX+AuK4766XsgTJ9dEVrrKr2enEL2cU ++THHLXC7pO+pTMprQ4a4ECLc4tK2BZYblyJoMqdRA2q7dXm0W/eX+Q31cV4OjZTS +4KFj0ANVxMWhKdSVvdZFhTFwaQ9DgXoJexCQ58VJjZiu25FH5dJDi0w9JKaNfPm9 +eym0AQKBgHhfqD9EXxazoP27NyZAFUSA3r4u06qFjbAEjbuJVAJNSuEu6Sht2uIg +lCHpTPssDLHVSY0faQwY4vPqJZVg0k/rAu2VlvbJxYrdzXr8eTfPRJrhv/s/Tbro +n1rmisBKov1P2Cu2e03a8+GDO3lpSZr9YNG/e7wggSbfAvqCoUDF +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem new file mode 100644 index 000000000..8492fbd45 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX +T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl +vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii +S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW +LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM +YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD +j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI +U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM +2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE +HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd +hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG +C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK +omBYfxqp +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem new file mode 100644 index 000000000..abd1554e5 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 +bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx +2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2 +LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE +RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF +UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/ +98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB +ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq ++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy +8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9 +Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR +P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV +UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt +0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT +5qILUTmI +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf new file mode 100644 index 000000000..134218eec --- /dev/null +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf @@ -0,0 +1,4 @@ +--cert /etc/ipsec.d/aacerts/aaCert.pem +--key /etc/openac/aaKey.pem +--quiet +--hours 8 diff --git a/testing/tests/ikev1/attr-cert/posttest.dat b/testing/tests/ikev1/attr-cert/posttest.dat new file mode 100644 index 000000000..a59c3ff63 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/openac/* +moon::rm /etc/ipsec.d/aacerts/aaCert.pem +moon::rm /etc/ipsec.d/acerts/* diff --git a/testing/tests/ikev1/attr-cert/pretest.dat b/testing/tests/ikev1/attr-cert/pretest.dat new file mode 100644 index 000000000..b3fecaf3c --- /dev/null +++ b/testing/tests/ikev1/attr-cert/pretest.dat @@ -0,0 +1,12 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::cat /etc/openac/default.conf +moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem +moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/ikev1/attr-cert/test.conf b/testing/tests/ikev1/attr-cert/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/ikev1/attr-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/compress/description.txt b/testing/tests/ikev1/compress/description.txt new file mode 100644 index 000000000..47829839d --- /dev/null +++ b/testing/tests/ikev1/compress/description.txt @@ -0,0 +1,3 @@ +This scenario enables IPCOMP compression between roadwarrior carol and +gateway moon. Two pings from carol to alice checks +the established tunnel with compression. diff --git a/testing/tests/ikev1/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat new file mode 100644 index 000000000..ff72e1762 --- /dev/null +++ b/testing/tests/ikev1/compress/evaltest.dat @@ -0,0 +1,10 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::policy.*COMPRESS::YES +carol::ipsec statusall::policy.*COMPRESS::YES +moon::ipsec statusall::comp.::YES +carol::ipsec statusall::comp.::YES +carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..abf3049d8 --- /dev/null +++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + compress=yes + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..855718f5d --- /dev/null +++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + compress=yes + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/compress/posttest.dat b/testing/tests/ikev1/compress/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/compress/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/compress/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/ikev1/compress/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/crl-from-cache/description.txt b/testing/tests/ikev1/crl-from-cache/description.txt new file mode 100644 index 000000000..17866f572 --- /dev/null +++ b/testing/tests/ikev1/crl-from-cache/description.txt @@ -0,0 +1,5 @@ +By setting strictcrlpolicy=yes a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. When carol initiates +an IPsec connection to moon, both VPN endpoints find a cached CRL in +their /etc/ipsec.d/crls/ directories which allows them to immediately verify +the certificate received from their peer. diff --git a/testing/tests/ikev1/crl-from-cache/evaltest.dat b/testing/tests/ikev1/crl-from-cache/evaltest.dat new file mode 100644 index 000000000..dd200c8ef --- /dev/null +++ b/testing/tests/ikev1/crl-from-cache/evaltest.dat @@ -0,0 +1,10 @@ +moon::cat /var/log/auth.log::loaded crl file::YES +carol::cat /var/log/auth.log::loaded crl file::YES +moon::cat /var/log/auth.log::X.509 certificate rejected::NO +carol::cat /var/log/auth.log::X.509 certificate rejected::NO +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file::NO +carol::cat /var/log/auth.log::written crl file::NO +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..59cbe67ba --- /dev/null +++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..9a2efb73d --- /dev/null +++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/crl-from-cache/posttest.dat b/testing/tests/ikev1/crl-from-cache/posttest.dat new file mode 100644 index 000000000..be17847c1 --- /dev/null +++ b/testing/tests/ikev1/crl-from-cache/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev1/crl-from-cache/pretest.dat b/testing/tests/ikev1/crl-from-cache/pretest.dat new file mode 100644 index 000000000..acdb265ed --- /dev/null +++ b/testing/tests/ikev1/crl-from-cache/pretest.dat @@ -0,0 +1,8 @@ +moon::wget -q http://crl.strongswan.org/strongswan.crl +moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +carol::wget -q http://crl.strongswan.org/strongswan.crl +carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/crl-from-cache/test.conf b/testing/tests/ikev1/crl-from-cache/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/crl-from-cache/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-ldap/description.txt b/testing/tests/ikev1/crl-ldap/description.txt new file mode 100644 index 000000000..02dc0cbbe --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/description.txt @@ -0,0 +1,9 @@ +By setting strictcrlpolicy=yes a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. Thus when carol initiates +the connection and only an expired CRL cache file in /etc/ipsec.d/crls is +available, the Main Mode negotiation fails. A http fetch for an updated CRL fails +because the web server is currently not reachable. Thus the second Main Mode negotiation +fails, too. Finally an ldap fetch to get the CRL from the LDAP server winnetou +is triggered. When the third Main Mode trial comes around, the fetched CRL has become +available and the IKE negotiation completes. The new CRL is again cached locally as a +file in /etc/ipsec.d/crls due to the cachecrls=yes option. diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat new file mode 100644 index 000000000..2b98e086a --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/evaltest.dat @@ -0,0 +1,16 @@ +moon::cat /var/log/auth.log::loaded crl file::YES +carol::cat /var/log/auth.log::loaded crl file::YES +moon::cat /var/log/auth.log::crl update is overdue::YES +carol::cat /var/log/auth.log::crl update is overdue::YES +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::Trying LDAP URL::YES +carol::cat /var/log/auth.log::Trying LDAP URL::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file::YES +carol::cat /var/log/auth.log::written crl file::YES +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..571459bae --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..40e32f14a --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl new file mode 100644 index 000000000..75e8b0959 Binary files /dev/null and b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl differ diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..8de514a2e --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..eaaaa3f42 --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,41 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl new file mode 100644 index 000000000..75e8b0959 Binary files /dev/null and b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl differ diff --git a/testing/tests/ikev1/crl-ldap/posttest.dat b/testing/tests/ikev1/crl-ldap/posttest.dat new file mode 100644 index 000000000..bddd87424 --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +winnetou::/etc/init.d/slapd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev1/crl-ldap/pretest.dat b/testing/tests/ikev1/crl-ldap/pretest.dat new file mode 100644 index 000000000..64fa8116b --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/pretest.dat @@ -0,0 +1,8 @@ +winnetou::/etc/init.d/slapd start +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home +carol::sleep 3 diff --git a/testing/tests/ikev1/crl-ldap/test.conf b/testing/tests/ikev1/crl-ldap/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-revoked/description.txt b/testing/tests/ikev1/crl-revoked/description.txt new file mode 100644 index 000000000..780068ce6 --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/description.txt @@ -0,0 +1,7 @@ +By setting strictcrlpolicy=yes a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. Thus when carol initiates +the connection and no current CRL is available, the Main Mode negotiation fails +and a http fetch to get the CRL from the web server winnetou is triggered. +When the second Main Mode trial comes around the fetched CRL will be available +but because the certificate presented by carol has been revoked, +the IKE negotatiation will fail. diff --git a/testing/tests/ikev1/crl-revoked/evaltest.dat b/testing/tests/ikev1/crl-revoked/evaltest.dat new file mode 100644 index 000000000..0fd1cae8c --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..6b4650fb8 --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolRevokedCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem new file mode 100644 index 000000000..8aefcc5a6 --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn +hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb +v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7 +HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx +vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE +UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU +WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf +OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu +og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2 +MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/ +khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx +uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07 +a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt +7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+ +rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y +ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf +IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi +CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3 +baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R +TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP +r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i +jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH +46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva +o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa +9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..8e31be4cb --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolRevokedKey.pem diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..143bace9a --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/crl-revoked/posttest.dat b/testing/tests/ikev1/crl-revoked/posttest.dat new file mode 100644 index 000000000..d742e8410 --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/crl-revoked/pretest.dat b/testing/tests/ikev1/crl-revoked/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/crl-revoked/test.conf b/testing/tests/ikev1/crl-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/crl-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-strict/description.txt b/testing/tests/ikev1/crl-strict/description.txt new file mode 100644 index 000000000..97011482e --- /dev/null +++ b/testing/tests/ikev1/crl-strict/description.txt @@ -0,0 +1,6 @@ +By setting strictcrlpolicy=yes a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. Thus when carol initiates +the connection and no current CRL is available, the Main Mode negotiation fails +but a http fetch to get the CRL from the web server winnetou is triggered. +When the second Main Mode trial comes around, the fetched CRL will be available +and the IKE negotiation completes. diff --git a/testing/tests/ikev1/crl-strict/evaltest.dat b/testing/tests/ikev1/crl-strict/evaltest.dat new file mode 100644 index 000000000..1d7adb05e --- /dev/null +++ b/testing/tests/ikev1/crl-strict/evaltest.dat @@ -0,0 +1,8 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..93bd80758 --- /dev/null +++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..143bace9a --- /dev/null +++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/crl-strict/posttest.dat b/testing/tests/ikev1/crl-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/crl-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/crl-strict/pretest.dat b/testing/tests/ikev1/crl-strict/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/ikev1/crl-strict/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/crl-strict/test.conf b/testing/tests/ikev1/crl-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/crl-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-to-cache/description.txt b/testing/tests/ikev1/crl-to-cache/description.txt new file mode 100644 index 000000000..9f542e73d --- /dev/null +++ b/testing/tests/ikev1/crl-to-cache/description.txt @@ -0,0 +1,6 @@ +By setting cachecrls=yes in ipsec.conf, a copy of the CRL fetched +via http from the web server winnetou is saved locally in the +directory /etc/ipsec.d/crls on both the roadwarrior carol +and the gateway moon when the IPsec connection is set up. The +subjectKeyIdentifier of the issuing CA plus the suffix .crl +is used as a unique filename for the cached CRL. diff --git a/testing/tests/ikev1/crl-to-cache/evaltest.dat b/testing/tests/ikev1/crl-to-cache/evaltest.dat new file mode 100644 index 000000000..be7737185 --- /dev/null +++ b/testing/tests/ikev1/crl-to-cache/evaltest.dat @@ -0,0 +1,4 @@ +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..e64a8fb5a --- /dev/null +++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + cachecrls=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..666fc0698 --- /dev/null +++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + cachecrls=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/crl-to-cache/posttest.dat b/testing/tests/ikev1/crl-to-cache/posttest.dat new file mode 100644 index 000000000..be17847c1 --- /dev/null +++ b/testing/tests/ikev1/crl-to-cache/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev1/crl-to-cache/pretest.dat b/testing/tests/ikev1/crl-to-cache/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/ikev1/crl-to-cache/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/crl-to-cache/test.conf b/testing/tests/ikev1/crl-to-cache/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/crl-to-cache/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/default-keys/description.txt b/testing/tests/ikev1/default-keys/description.txt new file mode 100644 index 000000000..639e909da --- /dev/null +++ b/testing/tests/ikev1/default-keys/description.txt @@ -0,0 +1,8 @@ +Because of the missing /etc/ipsec.secrets file, roadwarrior carol +and gateway moon each automatically generate a PKCS#1 RSA private key +and a self-signed X.509 certificate. Because the UML testing environment does +not offer enough entropy, the non-blocking /dev/urandom device is used in place +of /dev/random for generating the random primes. +

+The self-signed certificates are then distributed to the peers via scp +and are used to set up a road warrior connection initiated by carol diff --git a/testing/tests/ikev1/default-keys/evaltest.dat b/testing/tests/ikev1/default-keys/evaltest.dat new file mode 100644 index 000000000..a18e3997e --- /dev/null +++ b/testing/tests/ikev1/default-keys/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/auth.log::scepclient::YES +moon::cat /var/log/auth.log::scepclient::YES +carol::cat /var/log/auth.log::we have a cert but are not sending it::YES +moon::cat /var/log/auth.log::we have a cert but are not sending it::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..0ec9d47ed --- /dev/null +++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=peerCert.der + auto=add diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..13ad3063f --- /dev/null +++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ed1b40549 --- /dev/null +++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn carol + left=PH_IP_MOON + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + rightcert=peerCert.der + auto=add + diff --git a/testing/tests/ikev1/default-keys/posttest.dat b/testing/tests/ikev1/default-keys/posttest.dat new file mode 100644 index 000000000..8cada5e7e --- /dev/null +++ b/testing/tests/ikev1/default-keys/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/default-keys/pretest.dat b/testing/tests/ikev1/default-keys/pretest.dat new file mode 100644 index 000000000..88f9a2ca9 --- /dev/null +++ b/testing/tests/ikev1/default-keys/pretest.dat @@ -0,0 +1,18 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.secrets +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::rm /etc/ipsec.secrets +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +moon::sleep 5 +moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der +moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der +moon::ipsec reload +carol::ipsec reload +carol::ipsec up home diff --git a/testing/tests/ikev1/default-keys/test.conf b/testing/tests/ikev1/default-keys/test.conf new file mode 100644 index 000000000..0baa48d90 --- /dev/null +++ b/testing/tests/ikev1/default-keys/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/double-nat-net/description.txt b/testing/tests/ikev1/double-nat-net/description.txt new file mode 100644 index 000000000..ff09155f6 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/description.txt @@ -0,0 +1,7 @@ +The roadwarrior alice sitting behind the NAT router moon sets up a +tunnel to the subnet hiding behind the NAT router sun. All IKE and ESP traffic +directed to the router sun is forwarded to the VPN gateway bob +using destination NAT. UDP encapsulation is used to traverse the NAT routers. +leftfirewall=yes automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test the double NAT-ed IPsec +tunnel alice pings the inner IP address of the router sun. diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat new file mode 100644 index 000000000..d00613c07 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..5c0763734 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=bob@strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf new file mode 100755 index 000000000..e79b2ca35 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftsubnet=10.2.0.0/16 + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftfirewall=yes + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat new file mode 100644 index 000000000..484297418 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/posttest.dat @@ -0,0 +1,9 @@ +bob::ipsec stop +alice::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +bob::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +sun::iptables -t nat -F +moon::conntrack -F +sun::conntrack -F +sun::ip route del 10.1.0.0/16 via PH_IP_BOB diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat new file mode 100644 index 000000000..84bc15092 --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/pretest.dat @@ -0,0 +1,15 @@ +alice::/etc/init.d/iptables start 2> /dev/null +bob::/etc/init.d/iptables start 2> /dev/null +bob::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 +sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB +sun::ip route add 10.1.0.0/16 via PH_IP_BOB +alice::ipsec start +bob::ipsec start +alice::sleep 2 +alice::ipsec up nat-t + diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf new file mode 100644 index 000000000..1ca2ffe5a --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice bob" diff --git a/testing/tests/ikev1/double-nat/description.txt b/testing/tests/ikev1/double-nat/description.txt new file mode 100644 index 000000000..ce7de0e56 --- /dev/null +++ b/testing/tests/ikev1/double-nat/description.txt @@ -0,0 +1,5 @@ +The roadwarrior alice sitting behind the NAT router moon sets up a tunnel to +the peer bob hiding behind the NAT router sun. UDP encapsulation is used to +traverse the NAT routers. leftfirewall=yes automatically inserts iptables-based +firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec +tunnel alice pings bob. diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat new file mode 100644 index 000000000..05e751422 --- /dev/null +++ b/testing/tests/ikev1/double-nat/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..3533c3f8b --- /dev/null +++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=bob@strongswan.org + rightsubnet=PH_IP_BOB/32 + auto=add diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat new file mode 100644 index 000000000..5d39e406d --- /dev/null +++ b/testing/tests/ikev1/double-nat/posttest.dat @@ -0,0 +1,8 @@ +bob::ipsec stop +alice::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +bob::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +sun::iptables -t nat -F +moon::conntrack -F +sun::conntrack -F diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat new file mode 100644 index 000000000..cf495b778 --- /dev/null +++ b/testing/tests/ikev1/double-nat/pretest.dat @@ -0,0 +1,13 @@ +alice::/etc/init.d/iptables start 2> /dev/null +bob::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 +sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB +alice::ipsec start +bob::ipsec start +alice::sleep 2 +alice::ipsec up nat-t + diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf new file mode 100644 index 000000000..1ca2ffe5a --- /dev/null +++ b/testing/tests/ikev1/double-nat/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice bob" diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt new file mode 100644 index 000000000..f76b2d741 --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon +which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. +When the network connectivity between carol and moon is forcefully disrupted, +moon clears the connection after the configured timeout of 30 s. + diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat new file mode 100644 index 000000000..98d5b146b --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES +carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +moon::sleep 50::no output expected::NO +moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES +moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES +moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES +moon::cat /var/log/auth.log::DPD: Clearing connection::YES diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..281293545 --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + dpdaction=clear + dpddelay=10 + dpdtimeout=30 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add + + + diff --git a/testing/tests/ikev1/dpd-clear/posttest.dat b/testing/tests/ikev1/dpd-clear/posttest.dat new file mode 100644 index 000000000..931db4272 --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/posttest.dat @@ -0,0 +1,3 @@ +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat new file mode 100644 index 000000000..14ed95322 --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt new file mode 100644 index 000000000..c7918fa38 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior carol proposes to gateway moon +the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall +marks all incoming AH packets with the ESP mark. The transport mode connection is +tested by carol sending a ping to gateway moon. diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat new file mode 100644 index 000000000..7c498ad83 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES +carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES +moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES +moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..8c8817539 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..21f56705c --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..3e8922581 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..274a1aa18 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightid=carol@strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev1/esp-ah-transport/posttest.dat b/testing/tests/ikev1/esp-ah-transport/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-ah-transport/pretest.dat b/testing/tests/ikev1/esp-ah-transport/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-ah-transport/test.conf b/testing/tests/ikev1/esp-ah-transport/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-transport/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt new file mode 100644 index 000000000..809f28c57 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/description.txt @@ -0,0 +1,6 @@ +In IKE phase 2 the roadwarrior carol proposes to gateway moon +the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall +marks all incoming AH packets with the ESP mark. The tunnel mode connection is +tested by carol sending a ping to client alice hiding behind +gateway moon. diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat new file mode 100644 index 000000000..8f4a99641 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES +moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES +moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..8c8817539 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..8c72a7b7f --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..3e8922581 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ccf8e91fa --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/ikev1/esp-ah-tunnel/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-alg-des/description.txt b/testing/tests/ikev1/esp-alg-des/description.txt new file mode 100644 index 000000000..9546569dd --- /dev/null +++ b/testing/tests/ikev1/esp-alg-des/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior carol proposes to gateway moon +the ESP 1DES encryption algorithm with MD5 authentication. moon must +explicitly accept the choice of this insecure algorithm by setting the strict +flag '!' in esp=des-md5!. The tunnel is tested by carol +sending a ping to client alice behind gateway moon. diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat new file mode 100644 index 000000000..8e06392f1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-des/evaltest.dat @@ -0,0 +1,6 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b8ef03cfe --- /dev/null +++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-md5-modp1024! + esp=des-md5! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3ac0bf4cf --- /dev/null +++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=3des-md5-modp1024! + esp=des-md5! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-des/posttest.dat b/testing/tests/ikev1/esp-alg-des/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-des/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-des/pretest.dat b/testing/tests/ikev1/esp-alg-des/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-des/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-des/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-alg-null/description.txt b/testing/tests/ikev1/esp-alg-null/description.txt new file mode 100644 index 000000000..7880a799c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior carol proposes to gateway moon +the ESP NULL encryption algorithm with SHA-1 authentication. moon must +explicitly accept the choice of this insecure algorithm by setting the strict +flag '!' in esp=null-sha1!. The tunnel is tested by carol +sending a ping to client alice behind gateway moon. diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat new file mode 100644 index 000000000..de2f2a571 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..7a8ae37c9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes-128-sha + esp=null-sha1! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..187a3fb17 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=null-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt new file mode 100644 index 000000000..03c655480 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict-fail/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol proposes 3DES encryption with SHA-1 authentication +as the only cipher suite for both the ISAKMP and IPsec SA. The gateway moon defines +ike=aes-128-sha only, but will accept any other support algorithm proposed by the peer, +leading to a successful negotiation of Phase 1. Because for Phase 2 moon enforces +esp=aes-128-sha1! by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat new file mode 100644 index 000000000..6f2024ff9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES +carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES +moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO +moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4ed2fb645 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha + esp=3des-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f8c27ad7c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha + esp=aes128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat b/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-strict-fail/test.conf b/testing/tests/ikev1/esp-alg-strict-fail/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt new file mode 100644 index 000000000..b4fc08253 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict/description.txt @@ -0,0 +1,7 @@ +Roadwarrior carol proposes 3DES encryption (together with +SHA-1 authentication) in the first place and AES-128 encryption in +second place for both the ISAKMP and IPsec SAs. Gateway moon defines +ike=aes-128-sha but will accept any other supported algorithm proposed +by the peer during Phase 1. But for ESP encryption moon enforces +esp=aes-128-sha1! by applying the strict flag '!'. + diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat new file mode 100644 index 000000000..d5dd12d4e --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES +carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..da86d14df --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha,aes-128-sha + esp=3des-sha1,aes-128-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f8c27ad7c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha + esp=aes128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-strict/posttest.dat b/testing/tests/ikev1/esp-alg-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-strict/pretest.dat b/testing/tests/ikev1/esp-alg-strict/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-strict/test.conf b/testing/tests/ikev1/esp-alg-strict/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-strict/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt new file mode 100644 index 000000000..ffb6882f5 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-weak/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol proposes 1DES encryption with MD5 authentication +as the only cipher suite for the IPsec SA. Because gateway moon does +not use an explicit esp statement any strong encryption algorithm will be +accepted but any weak key length will be rejected by default and thus the ISAKMP SA +is bound to fail. diff --git a/testing/tests/ikev1/esp-alg-weak/evaltest.dat b/testing/tests/ikev1/esp-alg-weak/evaltest.dat new file mode 100644 index 000000000..72b14e805 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-weak/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO +moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES +moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b8ef03cfe --- /dev/null +++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-md5-modp1024! + esp=des-md5! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..691b6b74f --- /dev/null +++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-weak/posttest.dat b/testing/tests/ikev1/esp-alg-weak/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-weak/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-weak/pretest.dat b/testing/tests/ikev1/esp-alg-weak/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-weak/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-weak/test.conf b/testing/tests/ikev1/esp-alg-weak/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-weak/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/host2host-cert/description.txt b/testing/tests/ikev1/host2host-cert/description.txt new file mode 100644 index 000000000..6be21bf8f --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/description.txt @@ -0,0 +1,4 @@ +A connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat new file mode 100644 index 000000000..3536fd886 --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/host2host-swapped/description.txt b/testing/tests/ikev1/host2host-swapped/description.txt new file mode 100644 index 000000000..34cfe43cc --- /dev/null +++ b/testing/tests/ikev1/host2host-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test host2host-cert but with +swapped end definitions: right denotes the local side whereas +left stands for the remote peer. diff --git a/testing/tests/ikev1/host2host-swapped/evaltest.dat b/testing/tests/ikev1/host2host-swapped/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/ikev1/host2host-swapped/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..10597bc58 --- /dev/null +++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-host + right=PH_IP_MOON + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightfirewall=yes + left=PH_IP_SUN + leftid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..45121d967 --- /dev/null +++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-host + right=PH_IP_SUN + rightnexthop=%direct + rightcert=sunCert.pem + rightfirewall=yes + rightid=@sun.strongswan.org + left=PH_IP_MOON + leftid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/host2host-swapped/posttest.dat b/testing/tests/ikev1/host2host-swapped/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/host2host-swapped/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/host2host-swapped/pretest.dat b/testing/tests/ikev1/host2host-swapped/pretest.dat new file mode 100644 index 000000000..e2d98f2eb --- /dev/null +++ b/testing/tests/ikev1/host2host-swapped/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-swapped/test.conf b/testing/tests/ikev1/host2host-swapped/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/ikev1/host2host-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/host2host-transport/description.txt b/testing/tests/ikev1/host2host-transport/description.txt new file mode 100644 index 000000000..fe3482c96 --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/description.txt @@ -0,0 +1,4 @@ +An IPsec transport-mode connection between the hosts moon and sun is +successfully set up. leftfirewall=yes automatically inserts iptables-based firewall +rules that let pass the decrypted IP packets. In order to test the host-to-host connection +moon pings sun. diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..44ac885ce --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..a89e799bd --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + auto=add + diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat new file mode 100644 index 000000000..e2d98f2eb --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/ike-alg-sha2_384/description.txt b/testing/tests/ikev1/ike-alg-sha2_384/description.txt new file mode 100644 index 000000000..a347a3fed --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_384/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the strong cipher suite +AES_CBC_192-SHA2_384-MODP4096 for the IKE protocol and +AES_192-HMAC_SHA2_256 for ESP packets. A ping from carol to +alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat new file mode 100644 index 000000000..31959f53a --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2bf2f8740 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes192-sha2_384-modp4096! + esp=aes192-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..5baf8f1d9 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes192-sha2_384-modp4096! + esp=aes192-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat b/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat b/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/ike-alg-sha2_384/test.conf b/testing/tests/ikev1/ike-alg-sha2_384/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_384/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt new file mode 100644 index 000000000..1bec4b8c6 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_512/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the paranoid cipher suite +AES_CBC_256-SHA2_512-MODP8192 for the IKE protocol and +AES_256-HMAC_SHA2_256 for ESP packets. A ping from carol to +alice successfully checks the established tunnel. diff --git a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat new file mode 100644 index 000000000..dbd35429c --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES +moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..8b1052f91 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes256-sha2_512-modp8192! + esp=aes256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..62b93c428 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes256-sha2_512-modp8192! + esp=aes256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat b/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat b/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/ike-alg-sha2_512/test.conf b/testing/tests/ikev1/ike-alg-sha2_512/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/ike-alg-sha2_512/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt new file mode 100644 index 000000000..03c655480 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict-fail/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol proposes 3DES encryption with SHA-1 authentication +as the only cipher suite for both the ISAKMP and IPsec SA. The gateway moon defines +ike=aes-128-sha only, but will accept any other support algorithm proposed by the peer, +leading to a successful negotiation of Phase 1. Because for Phase 2 moon enforces +esp=aes-128-sha1! by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat new file mode 100644 index 000000000..931b8855a --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4ed2fb645 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha + esp=3des-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..1a8b0b966 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/ike-alg-strict-fail/test.conf b/testing/tests/ikev1/ike-alg-strict-fail/test.conf new file mode 100644 index 000000000..7e7848831 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict-fail/test.conf @@ -0,0 +1,21 @@ +##!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt new file mode 100644 index 000000000..35d266e20 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol proposes 3DES encryption with SHA-1 authentication in the first place +and AES-128 encryption with SHA-1 authentication in the second place for both the ISAKMP and IPsec SA. +The gateway moon enforces ike=aes-128-sha! for Phase 1 by using the strict flag '!', +but will accept any other supported algorithm proposed by the peer for Phase 2 , even though moon +defines itself esp=aes-128-sha1 only. diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat new file mode 100644 index 000000000..46140be8a --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES +moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES +carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..da86d14df --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha,aes-128-sha + esp=3des-sha1,aes-128-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..1a8b0b966 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/ike-alg-strict/posttest.dat b/testing/tests/ikev1/ike-alg-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/ike-alg-strict/pretest.dat b/testing/tests/ikev1/ike-alg-strict/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/ike-alg-strict/test.conf b/testing/tests/ikev1/ike-alg-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/ike-alg-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/mode-config-push/description.txt b/testing/tests/ikev1/mode-config-push/description.txt new file mode 100644 index 000000000..387c3b409 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKE Mode Config protocol +by using the leftsourceip=%modeconfig parameter. By setting the option modeconfig=push +on both the roadwarriors and the gateway, the Mode Config server moon will actively push +the configuration down to carol and dave. +

+leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnels, carol and dave then ping the client +alice behind the gateway moon. The source IP addresses of the two pings will +be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev1/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat new file mode 100644 index 000000000..7de32d681 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..db8cfd5c4 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + modeconfig=push + auto=add + + + + diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..cc330b47f --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + modeconfig=push + auto=add + + + + diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3de856642 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + modeconfig=push + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP_MOON1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + auto=add + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 + auto=add diff --git a/testing/tests/ikev1/mode-config-push/posttest.dat b/testing/tests/ikev1/mode-config-push/posttest.dat new file mode 100644 index 000000000..42fa8359b --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/mode-config-push/pretest.dat b/testing/tests/ikev1/mode-config-push/pretest.dat new file mode 100644 index 000000000..bb222992e --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/mode-config-push/test.conf b/testing/tests/ikev1/mode-config-push/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/mode-config-swapped/description.txt b/testing/tests/ikev1/mode-config-swapped/description.txt new file mode 100644 index 000000000..e29e6f654 --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test mode-config but with +swapped end definitions: right denotes the local side whereas +left stands for the remote peer. diff --git a/testing/tests/ikev1/mode-config-swapped/evaltest.dat b/testing/tests/ikev1/mode-config-swapped/evaltest.dat new file mode 100644 index 000000000..9d60cf7b0 --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bcc0ff25 --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_CAROL + rightsourceip=%modeconfig + rightnexthop=%direct + rightcert=carolCert.pem + rightid=carol@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7933ef15a --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_DAVE + rightsourceip=%modeconfig + rightnexthop=%direct + rightcert=daveCert.pem + rightid=dave@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..53b81a534 --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightsourceip=PH_IP_MOON1 + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightfirewall=yes + +conn rw-carol + left=%any + leftid=carol@strongswan.org + leftsourceip=PH_IP_CAROL1 + auto=add + +conn rw-dave + left=%any + leftid=dave@strongswan.org + leftsourceip=PH_IP_DAVE1 + auto=add diff --git a/testing/tests/ikev1/mode-config-swapped/posttest.dat b/testing/tests/ikev1/mode-config-swapped/posttest.dat new file mode 100644 index 000000000..42fa8359b --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/mode-config-swapped/pretest.dat b/testing/tests/ikev1/mode-config-swapped/pretest.dat new file mode 100644 index 000000000..1e45f00fd --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/mode-config-swapped/test.conf b/testing/tests/ikev1/mode-config-swapped/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev1/mode-config-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/mode-config/description.txt b/testing/tests/ikev1/mode-config/description.txt new file mode 100644 index 000000000..3e67f83f1 --- /dev/null +++ b/testing/tests/ikev1/mode-config/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKE Mode Config protocol +by using the leftsourceip=%modeconfig parameter. leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs carol1 +and dave1, respectively. diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat new file mode 100644 index 000000000..9d60cf7b0 --- /dev/null +++ b/testing/tests/ikev1/mode-config/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2fd734579 --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..128c4aa29 --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3367544eb --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP_MOON1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + auto=add + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 + auto=add diff --git a/testing/tests/ikev1/mode-config/posttest.dat b/testing/tests/ikev1/mode-config/posttest.dat new file mode 100644 index 000000000..42fa8359b --- /dev/null +++ b/testing/tests/ikev1/mode-config/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/mode-config/pretest.dat b/testing/tests/ikev1/mode-config/pretest.dat new file mode 100644 index 000000000..bb222992e --- /dev/null +++ b/testing/tests/ikev1/mode-config/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/mode-config/test.conf b/testing/tests/ikev1/mode-config/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev1/mode-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca-ldap/description.txt b/testing/tests/ikev1/multi-level-ca-ldap/description.txt new file mode 100644 index 000000000..18fb88840 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/description.txt @@ -0,0 +1,11 @@ +The VPN gateway moon controls the access to the hosts alice and +venus by means of two different Intermediate CAs. Access to +alice is granted to users presenting a certificate issued by the Research CA +whereas venus can only be reached with a certificate issued by the +Sales CA. The roadwarriors carol and dave have certificates from +the Research CA and Sales CA, respectively. Therefore carol can access +alice and dave can reach venus. +

+By setting strictcrlpolicy=yes the CRLs from the strongSwan, Research and +Sales CAs must be fetched from the LDAP server winnetou first, before the +connection setups can be successfully completed. diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat new file mode 100644 index 000000000..f504706e2 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat @@ -0,0 +1,13 @@ +moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES +dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::Trying LDAP URL::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2917edd8a --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3c8227f19 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..8de514a2e --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..9b1d03320 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,46 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +ca research + cacert=researchCert.pem + crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +ca sales + cacert=salesCert.pem + crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat new file mode 100644 index 000000000..ec4ba6e10 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* +winnetou::/etc/init.d/slapd stop +moon::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat new file mode 100644 index 000000000..322f42102 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat @@ -0,0 +1,10 @@ +winnetou::/etc/init.d/slapd start +moon::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca-ldap/test.conf b/testing/tests/ikev1/multi-level-ca-ldap/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca-loop/description.txt b/testing/tests/ikev1/multi-level-ca-loop/description.txt new file mode 100644 index 000000000..9b63c2c66 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/description.txt @@ -0,0 +1,6 @@ +The roadwarrior carol, possessing a certificate issued by the +Research CA, tries to set up a tunnel to gateway moon. +The Research CA's certificate is signed by the Sales CA and +the Sales CA's certificate in turn is signed by the Research CA. +This leads to an endless trust path loop but which is aborted by +moon when the path level reaches a depth of 7 iterations. diff --git a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat new file mode 100644 index 000000000..781a7b4ac --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat @@ -0,0 +1,3 @@ +moon::cat /var/log/auth.log::maximum ca path length of 7 levels exceeded::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2c645ead6 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..dcf3c94c7 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem new file mode 100644 index 000000000..efb939e3a --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT +CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf +rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID +BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx +4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q +m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha +/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM +x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB +AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr +Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup +Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg +pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL +rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S +uaJ2yDwEhOHn3ihb1bqlanM= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem new file mode 100644 index 000000000..90e207c4b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx +MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH +/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq +4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 +XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 +kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj +gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 +p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO +clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB +b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI +koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf +Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA +/szZoxwnE2iHtIoMAhfHZpRvOkg= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/posttest.dat b/testing/tests/ikev1/multi-level-ca-loop/posttest.dat new file mode 100644 index 000000000..076f51f4d --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/ikev1/multi-level-ca-loop/pretest.dat b/testing/tests/ikev1/multi-level-ca-loop/pretest.dat new file mode 100644 index 000000000..0a0ec22bf --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca-loop/test.conf b/testing/tests/ikev1/multi-level-ca-loop/test.conf new file mode 100644 index 000000000..3189fdfc7 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-loop/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/multi-level-ca-revoked/description.txt b/testing/tests/ikev1/multi-level-ca-revoked/description.txt new file mode 100644 index 000000000..c91ac285b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/description.txt @@ -0,0 +1,4 @@ +The roadwarrior carol possesses a certificate issued by the Research CA. +The certificate of the Research CA has been revoked by the Root CA by entering +the serial number in the CRL. Therefore upon verification of the trust path +the gateway moon will reject the roadwarrior's certificate diff --git a/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat new file mode 100644 index 000000000..0fd1cae8c --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..93bd80758 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ab336c3c8 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..c380a5110 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1 +LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa +6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN +T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r +9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL +cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq +YO2C4HE= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat new file mode 100644 index 000000000..f84b7e37b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/multi-level-ca-revoked/test.conf b/testing/tests/ikev1/multi-level-ca-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/multi-level-ca-strict/description.txt b/testing/tests/ikev1/multi-level-ca-strict/description.txt new file mode 100644 index 000000000..32413e3de --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/description.txt @@ -0,0 +1,10 @@ +The VPN gateway moon controls the access to the hosts alice and +venus by means of two different Intermediate CAs. Access to +alice is granted to users presenting a certificate issued by the Research CA +whereas venus can only be reached with a certificate issued by the +Sales CA. The roadwarriors carol and dave have certificates from +the Research CA and Sales CA, respectively. Therefore carol can access +alice and dave can reach venus. +

+By setting strictcrlpolicy=yes the CRLs from the strongSwan, Research and +Sales CAs must be fetched first, before the connection setups can be successfully completed. diff --git a/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat new file mode 100644 index 000000000..5a181a62d --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat @@ -0,0 +1,12 @@ +moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES +dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..d6d32a39d --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..6156fadba --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6b4e37b35 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/posttest.dat b/testing/tests/ikev1/multi-level-ca-strict/posttest.dat new file mode 100644 index 000000000..1646d5ed2 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/ikev1/multi-level-ca-strict/pretest.dat b/testing/tests/ikev1/multi-level-ca-strict/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca-strict/test.conf b/testing/tests/ikev1/multi-level-ca-strict/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca/description.txt b/testing/tests/ikev1/multi-level-ca/description.txt new file mode 100644 index 000000000..64825cb30 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/description.txt @@ -0,0 +1,7 @@ +The VPN gateway moon controls the access to the hosts alice and +venus by means of two different Intermediate CAs. Access to +alice is granted to users presenting a certificate issued by the Research CA +whereas venus can only be reached with a certificate issued by the +Sales CA. The roadwarriors carol and dave have certificates from +the Research CA and Sales CA, respectively. Therefore carol can access +alice and dave can reach venus. diff --git a/testing/tests/ikev1/multi-level-ca/evaltest.dat b/testing/tests/ikev1/multi-level-ca/evaltest.dat new file mode 100644 index 000000000..72f620b8e --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES +moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES +dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES +moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..316cdaecc --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftsendcert=ifasked + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..5838f5f2f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + leftsendcert=ifasked + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e47d453e4 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftsendcert=ifasked + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca/posttest.dat b/testing/tests/ikev1/multi-level-ca/posttest.dat new file mode 100644 index 000000000..1646d5ed2 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/nat-before-esp/description.txt b/testing/tests/ikev1/nat-before-esp/description.txt new file mode 100644 index 000000000..e42ace476 --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/description.txt @@ -0,0 +1,6 @@ +An IPsec tunnel connecting the gateway moon with the subnet behind +gateway sun is set up. This host-to-net connection can also be +used by the clients alice and venus via the trick of NAT-ing +them to the outer IP address of gateway moon prior to tunnelling. +The IPsec tunnel is first tested by moon pinging bob and vice versa, +followed by the NAT-ed clients alice and venus pinging bob. diff --git a/testing/tests/ikev1/nat-before-esp/evaltest.dat b/testing/tests/ikev1/nat-before-esp/evaltest.dat new file mode 100644 index 000000000..d466038ed --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec status::host-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-net.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +bob::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +bob::tcpdump::ICMP::YES diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..f87ec0e58 --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables @@ -0,0 +1,83 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # NAT traffic from 10.1.0.0/16 + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE + + # forward traffic from 10.1.0.0/16 to POSTROUTING chain + iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT + iptables -A FORWARD -o eth1 -i eth0 -d 10.1.0.0/16 -s 10.2.0.0/16 -j ACCEPT + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..9637dcf06 --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-net + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=192.168.0.2 + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..506417867 --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-net + left=192.168.0.2 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + leftsubnet=10.2.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/nat-before-esp/posttest.dat b/testing/tests/ikev1/nat-before-esp/posttest.dat new file mode 100644 index 000000000..307b96888 --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/posttest.dat @@ -0,0 +1,5 @@ +moon::iptables -t nat -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/nat-before-esp/pretest.dat b/testing/tests/ikev1/nat-before-esp/pretest.dat new file mode 100644 index 000000000..75565540a --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-net diff --git a/testing/tests/ikev1/nat-before-esp/test.conf b/testing/tests/ikev1/nat-before-esp/test.conf new file mode 100644 index 000000000..4234eaf63 --- /dev/null +++ b/testing/tests/ikev1/nat-before-esp/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/nat-one-rw/description.txt b/testing/tests/ikev1/nat-one-rw/description.txt new file mode 100644 index 000000000..c3b9bb820 --- /dev/null +++ b/testing/tests/ikev1/nat-one-rw/description.txt @@ -0,0 +1,5 @@ +The roadwarrior alice sitting behind the NAT router moon sets up a tunnel to +gateway sun. UDP encapsulation is used to traverse the NAT router. +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, the NAT-ed host alice pings the +client bob behind the gateway sun. diff --git a/testing/tests/ikev1/nat-one-rw/evaltest.dat b/testing/tests/ikev1/nat-one-rw/evaltest.dat new file mode 100644 index 000000000..bc193963d --- /dev/null +++ b/testing/tests/ikev1/nat-one-rw/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-one-rw/posttest.dat b/testing/tests/ikev1/nat-one-rw/posttest.dat new file mode 100644 index 000000000..cd0d4df25 --- /dev/null +++ b/testing/tests/ikev1/nat-one-rw/posttest.dat @@ -0,0 +1,6 @@ +alice::ipsec stop +sun::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev1/nat-one-rw/pretest.dat b/testing/tests/ikev1/nat-one-rw/pretest.dat new file mode 100644 index 000000000..9dacc672c --- /dev/null +++ b/testing/tests/ikev1/nat-one-rw/pretest.dat @@ -0,0 +1,10 @@ +alice::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +sun::ipsec start +alice::sleep 5 +alice::ipsec up nat-t + diff --git a/testing/tests/ikev1/nat-one-rw/test.conf b/testing/tests/ikev1/nat-one-rw/test.conf new file mode 100644 index 000000000..d84149aaf --- /dev/null +++ b/testing/tests/ikev1/nat-one-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev1/nat-two-rw-psk/description.txt b/testing/tests/ikev1/nat-two-rw-psk/description.txt new file mode 100644 index 000000000..c74897d9a --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/description.txt @@ -0,0 +1,6 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway sun. +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus +ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat new file mode 100644 index 000000000..e8aaf0b5f --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat @@ -0,0 +1,9 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES +sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..e8576f0e7 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + +conn nat-t + left=%defaultroute + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..e8c151f05 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..573069f75 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn nat-t + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..e8c151f05 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..e8576f0e7 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + +conn nat-t + left=%defaultroute + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets new file mode 100644 index 000000000..e8c151f05 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/nat-two-rw-psk/posttest.dat b/testing/tests/ikev1/nat-two-rw-psk/posttest.dat new file mode 100644 index 000000000..52572ece8 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/posttest.dat @@ -0,0 +1,8 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat b/testing/tests/ikev1/nat-two-rw-psk/pretest.dat new file mode 100644 index 000000000..6172bd088 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/pretest.dat @@ -0,0 +1,16 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::rm /etc/ipsec.d/cacerts/* +venus::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 5 +alice::ipsec up nat-t +venus::sleep 5 +venus::ipsec up nat-t diff --git a/testing/tests/ikev1/nat-two-rw-psk/test.conf b/testing/tests/ikev1/nat-two-rw-psk/test.conf new file mode 100644 index 000000000..84317fd70 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/nat-two-rw/description.txt b/testing/tests/ikev1/nat-two-rw/description.txt new file mode 100644 index 000000000..dcf4b94bd --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw/description.txt @@ -0,0 +1,5 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus +ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev1/nat-two-rw/evaltest.dat b/testing/tests/ikev1/nat-two-rw/evaltest.dat new file mode 100644 index 000000000..b1a7d59ee --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw/evaltest.dat @@ -0,0 +1,9 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::nat-t.*alice@strongswan.org::YES +sun::ipsec status::nat-t.*@venus.strongswan.org::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-two-rw/posttest.dat b/testing/tests/ikev1/nat-two-rw/posttest.dat new file mode 100644 index 000000000..52572ece8 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw/posttest.dat @@ -0,0 +1,8 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev1/nat-two-rw/pretest.dat b/testing/tests/ikev1/nat-two-rw/pretest.dat new file mode 100644 index 000000000..dd5259936 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw/pretest.dat @@ -0,0 +1,13 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 5 +alice::ipsec up nat-t +venus::sleep 5 +venus::ipsec up nat-t diff --git a/testing/tests/ikev1/nat-two-rw/test.conf b/testing/tests/ikev1/nat-two-rw/test.conf new file mode 100644 index 000000000..84317fd70 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/net2net-cert/description.txt b/testing/tests/ikev1/net2net-cert/description.txt new file mode 100644 index 000000000..7eea9192f --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat new file mode 100644 index 000000000..9f60760c6 --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-pgp/description.txt b/testing/tests/ikev1/net2net-pgp/description.txt new file mode 100644 index 000000000..c85f2e5d0 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on OpenPGP keys. Upon the successful +establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-pgp/evaltest.dat b/testing/tests/ikev1/net2net-pgp/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..eb72ed85f --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.asc + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightcert=sunCert.asc + auto=add diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc new file mode 100644 index 000000000..6524773e0 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/613A3B61 2005/08/07 moon + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd +JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9 +FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6 +7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3 +0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN +8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7 +QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v +biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4= +=YFQm +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..afb1ff927 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..205f235c8 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftcert=sunCert.asc + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=moonCert.asc + auto=add diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc new file mode 100644 index 000000000..de2393649 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/79949ADD 2005/08/07 sun + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI +Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1 +GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg +vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2 +LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn +2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs +xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu +IDxzdW4uc3Ryb25nc3dhbi5vcmc+ +=DwEu +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..ee98b1611 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.asc diff --git a/testing/tests/ikev1/net2net-pgp/posttest.dat b/testing/tests/ikev1/net2net-pgp/posttest.dat new file mode 100644 index 000000000..fafcde975 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +sun::rm /etc/ipsec.d/certs/* +sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev1/net2net-pgp/pretest.dat b/testing/tests/ikev1/net2net-pgp/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-pgp/test.conf b/testing/tests/ikev1/net2net-pgp/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt new file mode 100644 index 000000000..5a794bd17 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/description.txt @@ -0,0 +1,7 @@ +An IPsec tunnel connecting the subnets behind the gateways moon and +sun is set up. The authentication is based on Preshared Keys +(PSK). Unfortunately the secret keys of moon and sun do not +match, so that the responder cannot decrypt ISAKMP message MI3. The resulting +encrypted notification message cannot in turn be read by the initiator +moon. In order to avoid a notify-war, any further generation of +PAYLOAD_MALFORMED messages is suppressed. diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat new file mode 100644 index 000000000..7f7cb9726 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::malformed payload in packet::YES +sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES +sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES +moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO +sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO + diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e095c0b7b --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..b21f863f5 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..b53577e1d --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil + + + + diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat new file mode 100644 index 000000000..dff181797 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat new file mode 100644 index 000000000..aa8e332e0 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf new file mode 100644 index 000000000..f6e064e7d --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-psk/description.txt b/testing/tests/ikev1/net2net-psk/description.txt new file mode 100644 index 000000000..02cddbb83 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on Preshared Keys (PSK). Upon the successful +establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a3536e2b2 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..12e38962e --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-route/description.txt b/testing/tests/ikev1/net2net-route/description.txt new file mode 100644 index 000000000..323f09555 --- /dev/null +++ b/testing/tests/ikev1/net2net-route/description.txt @@ -0,0 +1,9 @@ +A tunnel that will connect the subnets behind the gateways moon +and sun, respectively, is preconfigured by installing a %trap eroute +on gateway moon by means of the setting auto=route in ipsec.conf. +A subsequent ping issued by client alice behind gateway moon to +bob located behind gateway sun triggers the %trap eroute and +leads to the automatic establishment of the subnet-to-subnet tunnel. +

+leftfirewall=yes automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/net2net-route/evaltest.dat b/testing/tests/ikev1/net2net-route/evaltest.dat new file mode 100644 index 000000000..38d589e5a --- /dev/null +++ b/testing/tests/ikev1/net2net-route/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..466235099 --- /dev/null +++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=route diff --git a/testing/tests/ikev1/net2net-route/posttest.dat b/testing/tests/ikev1/net2net-route/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/net2net-route/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-route/pretest.dat b/testing/tests/ikev1/net2net-route/pretest.dat new file mode 100644 index 000000000..2eef7de19 --- /dev/null +++ b/testing/tests/ikev1/net2net-route/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +alice::ping -c 10 PH_IP_BOB diff --git a/testing/tests/ikev1/net2net-route/test.conf b/testing/tests/ikev1/net2net-route/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/ikev1/net2net-route/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-rsa/description.txt b/testing/tests/ikev1/net2net-rsa/description.txt new file mode 100644 index 000000000..a23fae8c3 --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on raw RSA keys. Upon the successful +establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev1/net2net-rsa/evaltest.dat b/testing/tests/ikev1/net2net-rsa/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e4c0614a1 --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + auto=add diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..9859ae8ed --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,17 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA { + # RSA 2048 bits moon.strongswan.org Wed Dec 8 21:41:27 2004 + # for signatures only, UNSAFE FOR ENCRYPTION + #pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63 + PublicExponent: 0x03 + # everything after this point is secret + PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7 + Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f + Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d + Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff + Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213 + Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339 + } +# do not change the indenting of that "}" diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..d0c8752a3 --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + auto=add diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..bf976a8d3 --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,17 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA { + # RSA 2048 bits sun.strongswan.org Wed Dec 8 21:44:27 2004 + # for signatures only, UNSAFE FOR ENCRYPTION + #pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253 + PublicExponent: 0x03 + # everything after this point is secret + PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db + Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb + Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839 + Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47 + Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b + Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a + } +# do not change the indenting of that "}" diff --git a/testing/tests/ikev1/net2net-rsa/posttest.dat b/testing/tests/ikev1/net2net-rsa/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-rsa/pretest.dat b/testing/tests/ikev1/net2net-rsa/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-rsa/test.conf b/testing/tests/ikev1/net2net-rsa/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/ikev1/net2net-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-start/description.txt b/testing/tests/ikev1/net2net-start/description.txt new file mode 100644 index 000000000..f5320685e --- /dev/null +++ b/testing/tests/ikev1/net2net-start/description.txt @@ -0,0 +1,8 @@ +A tunnel connecting the subnets behind the gateways moon and sun, +respectively, is automatically established by means of the setting +auto=start in ipsec.conf. The connection is tested by client alice +behind gateway moon pinging the client bob located behind +gateway sun. +

+leftfirewall=yes automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/net2net-start/evaltest.dat b/testing/tests/ikev1/net2net-start/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/ikev1/net2net-start/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..95abd046a --- /dev/null +++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=start diff --git a/testing/tests/ikev1/net2net-start/posttest.dat b/testing/tests/ikev1/net2net-start/posttest.dat new file mode 100644 index 000000000..5a9150bc8 --- /dev/null +++ b/testing/tests/ikev1/net2net-start/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat new file mode 100644 index 000000000..ed8f39316 --- /dev/null +++ b/testing/tests/ikev1/net2net-start/pretest.dat @@ -0,0 +1,5 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +alice::sleep 12 diff --git a/testing/tests/ikev1/net2net-start/test.conf b/testing/tests/ikev1/net2net-start/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/ikev1/net2net-start/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/no-priv-key/description.txt b/testing/tests/ikev1/no-priv-key/description.txt new file mode 100644 index 000000000..21b8eccb1 --- /dev/null +++ b/testing/tests/ikev1/no-priv-key/description.txt @@ -0,0 +1,4 @@ +This scenario tests whether the correct encrypted informational messages are +generated by the initiator carol and subsequently decoded by the +responder moon when roadwarrior carol finds out that she +doesn't have a private RSA key to sign her hash with. diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat new file mode 100644 index 000000000..9bd85ba12 --- /dev/null +++ b/testing/tests/ikev1/no-priv-key/evaltest.dat @@ -0,0 +1,4 @@ +carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES +moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23b311aa6 --- /dev/null +++ b/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# missing private RSA key diff --git a/testing/tests/ikev1/no-priv-key/posttest.dat b/testing/tests/ikev1/no-priv-key/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/no-priv-key/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/no-priv-key/pretest.dat b/testing/tests/ikev1/no-priv-key/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/ikev1/no-priv-key/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/no-priv-key/test.conf b/testing/tests/ikev1/no-priv-key/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/no-priv-key/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/ocsp-revoked/description.txt b/testing/tests/ikev1/ocsp-revoked/description.txt new file mode 100644 index 000000000..cbdd1305a --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/description.txt @@ -0,0 +1,7 @@ +By setting strictcrlpolicy=yes a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. Thus when carol initiates +the connection and no current revocation information is available, the Main Mode +negotiation fails but an OCSP request issued to the OCSP server winnetou. +When the second Main Mode trial comes around the OCSP response will be available +but because the certificate presented by carol has been revoked, +the IKE negotatiation will fail.. diff --git a/testing/tests/ikev1/ocsp-revoked/evaltest.dat b/testing/tests/ikev1/ocsp-revoked/evaltest.dat new file mode 100644 index 000000000..f5286cb61 --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listocsp:: revoked::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5b32ef007 --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolRevokedCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem new file mode 100644 index 000000000..8aefcc5a6 --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn +hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb +v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7 +HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx +vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE +UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU +WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf +OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu +og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2 +MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/ +khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx +uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07 +a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt +7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+ +rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y +ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf +IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi +CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3 +baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R +TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP +r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i +jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH +46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva +o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa +9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..8e31be4cb --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolRevokedKey.pem diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d9da3f78a --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,39 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/ocsp-revoked/posttest.dat b/testing/tests/ikev1/ocsp-revoked/posttest.dat new file mode 100644 index 000000000..d742e8410 --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/ocsp-revoked/pretest.dat b/testing/tests/ikev1/ocsp-revoked/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/ocsp-revoked/test.conf b/testing/tests/ikev1/ocsp-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/ocsp-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/ocsp-strict/description.txt b/testing/tests/ikev1/ocsp-strict/description.txt new file mode 100644 index 000000000..7cb983140 --- /dev/null +++ b/testing/tests/ikev1/ocsp-strict/description.txt @@ -0,0 +1,6 @@ +By setting strictcrlpolicy=yes a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. Thus when carol initiates +the connection and no current revocation information is available, the Main Mode +negotiation fails but an OCSP request is issued to the OCSP server winnetou. +When the second Main Mode trial comes around, the OCSP response will be available +and the IKE negotiation completes. diff --git a/testing/tests/ikev1/ocsp-strict/evaltest.dat b/testing/tests/ikev1/ocsp-strict/evaltest.dat new file mode 100644 index 000000000..66b27aaac --- /dev/null +++ b/testing/tests/ikev1/ocsp-strict/evaltest.dat @@ -0,0 +1,8 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec listocsp:: good::YES +carol::ipsec listocsp:: good::YES diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..fd950ecd5 --- /dev/null +++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d9da3f78a --- /dev/null +++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,39 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + charonstart=no + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/ocsp-strict/posttest.dat b/testing/tests/ikev1/ocsp-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/ocsp-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/ocsp-strict/pretest.dat b/testing/tests/ikev1/ocsp-strict/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/ikev1/ocsp-strict/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/ocsp-strict/test.conf b/testing/tests/ikev1/ocsp-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/ocsp-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/protoport-dual/description.txt b/testing/tests/ikev1/protoport-dual/description.txt new file mode 100644 index 000000000..7bed8b959 --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/description.txt @@ -0,0 +1,6 @@ +Using the left|rightprotoport selectors, two IPsec tunnels +between the roadwarrior carol and the gateway moon are +defined. The first IPsec SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. The established tunnels are tested +by carol by first pinging alice behind moon and +then setting up an SSH session to the same client. diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat new file mode 100644 index 000000000..11c34929f --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..0dc25b7bb --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + +conn home-icmp + leftprotoport=icmp + rightprotoport=icmp + +conn home-ssh + leftprotoport=tcp + rightprotoport=tcp/ssh diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3b01128c2 --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + auto=add + +conn rw-icmp + lefthostaccess=yes + leftprotoport=icmp + rightprotoport=icmp + +conn rw-ssh + leftprotoport=tcp/ssh + rightprotoport=tcp diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat new file mode 100644 index 000000000..d3d0061c3 --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home-icmp +carol::ipsec up home-ssh diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/protoport-pass/description.txt b/testing/tests/ikev1/protoport-pass/description.txt new file mode 100644 index 000000000..63744fa47 --- /dev/null +++ b/testing/tests/ikev1/protoport-pass/description.txt @@ -0,0 +1,13 @@ +The roadwarrior carol sets up a connection to gateway moon. +Using the left|rightprotoport selectors, the IPsec tunnel is +restricted to the ICMP protocol. Upon the successful establishment of the +IPsec tunnel, firewall=yes automatically inserts iptables-based +firewall rules that let pass the tunneled ICMP traffic. In order to test +both tunnel and firewall, carol pings the client alice behind +the gateway moon as well as the inner interface of the gateway. +For the latter ping lefthostaccess=yes is required. +

+By default, the native IPsec stack of the Linux 2.6 kernel transmits +protocols and ports not covered by any IPsec SA in the clear. Thus by +selectively opening the firewalls, carol sets up an SSH session to +alice that is not going through the tunnel. diff --git a/testing/tests/ikev1/protoport-pass/evaltest.dat b/testing/tests/ikev1/protoport-pass/evaltest.dat new file mode 100644 index 000000000..11c34929f --- /dev/null +++ b/testing/tests/ikev1/protoport-pass/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..093f9b1fc --- /dev/null +++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home-icmp + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftcert=carolCert.pem + leftprotoport=icmp + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightprotoport=icmp + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e64b3be7a --- /dev/null +++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw-icmp + left=PH_IP_MOON + leftnexthop=%direct + leftsubnet=10.1.0.0/16 + leftprotoport=icmp + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftfirewall=yes + lefthostaccess=yes + right=%any + rightprotoport=icmp + auto=add diff --git a/testing/tests/ikev1/protoport-pass/posttest.dat b/testing/tests/ikev1/protoport-pass/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/protoport-pass/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/protoport-pass/pretest.dat b/testing/tests/ikev1/protoport-pass/pretest.dat new file mode 100644 index 000000000..13b4ad4a0 --- /dev/null +++ b/testing/tests/ikev1/protoport-pass/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT +moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT +carol::/etc/init.d/iptables start 2> /dev/null +carol::iptables -I INPUT -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT +carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home-icmp diff --git a/testing/tests/ikev1/protoport-pass/test.conf b/testing/tests/ikev1/protoport-pass/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/protoport-pass/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/protoport-route/description.txt b/testing/tests/ikev1/protoport-route/description.txt new file mode 100644 index 000000000..ec7ec69b0 --- /dev/null +++ b/testing/tests/ikev1/protoport-route/description.txt @@ -0,0 +1,8 @@ +Using the left|rightprotoport selectors, two IPsec tunnels +between the roadwarrior carol and the gateway moon are +defined. The first IPsec SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. Using add=route %trap +eroutes for these IPsec SAs are prepared on carol. By sending +a ping to the client alice behind moon, the ICMP eroute +is triggered and the corresponding IPsec tunnel is set up. In the same +way an ssh session to alice over the second IPsec SA is established. diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat new file mode 100644 index 000000000..759295675 --- /dev/null +++ b/testing/tests/ikev1/protoport-route/evaltest.dat @@ -0,0 +1,8 @@ +carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES +carol::ping -c 2 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES +carol::ssh PH_IP_ALICE hostname::alice::YES +carol::cat /var/log/auth.log::initiate on demand::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..99b410c32 --- /dev/null +++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=route + +conn home-icmp + leftprotoport=icmp + rightprotoport=icmp + +conn home-ssh + leftprotoport=tcp + rightprotoport=tcp/ssh diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3b01128c2 --- /dev/null +++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + auto=add + +conn rw-icmp + lefthostaccess=yes + leftprotoport=icmp + rightprotoport=icmp + +conn rw-ssh + leftprotoport=tcp/ssh + rightprotoport=tcp diff --git a/testing/tests/ikev1/protoport-route/posttest.dat b/testing/tests/ikev1/protoport-route/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/protoport-route/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat new file mode 100644 index 000000000..f233ad48f --- /dev/null +++ b/testing/tests/ikev1/protoport-route/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ssh PH_IP_ALICE hostname diff --git a/testing/tests/ikev1/protoport-route/test.conf b/testing/tests/ikev1/protoport-route/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/protoport-route/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/req-pkcs10/description.txt b/testing/tests/ikev1/req-pkcs10/description.txt new file mode 100644 index 000000000..a958cb8e8 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/description.txt @@ -0,0 +1,11 @@ +Both the roadwarrior carol and the gateway moon generate a +PKCS#1 RSA private key and a PKCS#10 certificate request using the +ipsec scepclient function. Because the UML testing environment +does not offer enough entropy, the non-blocking /dev/urandom device is +used in place of /dev/random for generating the random primes. +

+The certificate requests are copied to winnetou where a certification +authority based on OpenSSL issues X.509 certificates by verifying and +signing the PCKS#10 requests. The certificates are then copied back to +the corresponding hosts and used to set up a road warrior connection +initiated by carol diff --git a/testing/tests/ikev1/req-pkcs10/evaltest.dat b/testing/tests/ikev1/req-pkcs10/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..e32aca0b9 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=myCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..167d743df --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA myKey.der diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf new file mode 100644 index 000000000..6afd3fa11 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf @@ -0,0 +1,3 @@ +--debug-control +--out pkcs1 +--out pkcs10 diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b9ec17dbc --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.der diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf new file mode 100644 index 000000000..da8177348 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf @@ -0,0 +1,4 @@ +--debug-control +--keylength 2064 +--out pkcs1=moonKey.der +--out pkcs10=moonReq.der diff --git a/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt new file mode 100644 index 000000000..9b48ee4cf --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt @@ -0,0 +1,2 @@ +y +y diff --git a/testing/tests/ikev1/req-pkcs10/posttest.dat b/testing/tests/ikev1/req-pkcs10/posttest.dat new file mode 100644 index 000000000..933b4b6c4 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/posttest.dat @@ -0,0 +1,11 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/reqs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/reqs/* +winnetou::rm /etc/openssl/carol* +winnetou::rm /etc/openssl/moon* diff --git a/testing/tests/ikev1/req-pkcs10/pretest.dat b/testing/tests/ikev1/req-pkcs10/pretest.dat new file mode 100644 index 000000000..18b8b16e6 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/pretest.dat @@ -0,0 +1,22 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::cat /etc/scepclient.conf +carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf +winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der +winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem +winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt +winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::cat /etc/scepclient.conf +moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf +winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/ +winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem +winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt +winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/req-pkcs10/test.conf b/testing/tests/ikev1/req-pkcs10/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-cert/description.txt b/testing/tests/ikev1/rw-cert/description.txt new file mode 100644 index 000000000..8df6b1c0d --- /dev/null +++ b/testing/tests/ikev1/rw-cert/description.txt @@ -0,0 +1,6 @@ +The roadwarrior carol sets up a connection to gateway moon. +The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol pings the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/ikev1/rw-cert/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat new file mode 100644 index 000000000..4fe0ee90b --- /dev/null +++ b/testing/tests/ikev1/rw-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/description.txt b/testing/tests/ikev1/rw-psk-fqdn-named/description.txt new file mode 100644 index 000000000..adfab2f4d --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/description.txt @@ -0,0 +1,11 @@ +The roadwarrior carol sets up a connection to gateway moon. The authentication is +based on Preshared Keys (PSK) and Fully Qualified Domain Names (ID_FQDN). +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnel carol pings the client alice behind +the gateway moon. +

+The significant difference between this scenario and the test +rw-psk-fqdn +is the additional line rightid=@carol.strongswan.org by which gateway +moon restricts the roadwarrior connection to host carol. +

diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1e9a27129 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftid=@carol.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..db3884e57 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..05d209c44 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw-carol + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightid=@carol.strongswan.org + auto=add diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..6281340ae --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/test.conf b/testing/tests/ikev1/rw-psk-fqdn-named/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-psk-fqdn/description.txt b/testing/tests/ikev1/rw-psk-fqdn/description.txt new file mode 100644 index 000000000..d6c79afb2 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol sets up a connection to gateway moon. The authentication is +based on Preshared Keys (PSK) and Fully Qualified Domain Names (ID_FQDN). +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnel carol pings the client alice behind +the gateway moon. diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1e9a27129 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftid=@carol.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..db3884e57 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..beda12b3c --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..661168fb5 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-psk-ipv4/description.txt b/testing/tests/ikev1/rw-psk-ipv4/description.txt new file mode 100644 index 000000000..b3a0bc192 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol sets up a connection to gateway moon. The authentication is +based on Preshared Keys (PSK) and IPv4 addresses (ID_IPV4_ADDR). +firewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel carol pings the client alice +behind the gateway moon. diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..8e27a9ecd --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..69313b289 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f8ce5569c --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..a8e367950 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-psk-no-policy/description.txt b/testing/tests/ikev1/rw-psk-no-policy/description.txt new file mode 100644 index 000000000..0e359414f --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/description.txt @@ -0,0 +1,3 @@ +The roadwarrior carol wants to set up a connection to gateway moon using +PSK-based authentication. Since moon supports RSASIG-based +authentication only, the connection setup fails. diff --git a/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat b/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat new file mode 100644 index 000000000..a28377dbd --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::peer requests PSK authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES +moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO + diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c62605bd0 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + authby=secret + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..1b721dc58 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..4584e1408 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/rw-psk-no-policy/posttest.dat b/testing/tests/ikev1/rw-psk-no-policy/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/rw-psk-no-policy/pretest.dat b/testing/tests/ikev1/rw-psk-no-policy/pretest.dat new file mode 100644 index 000000000..3a7804ddd --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/pretest.dat @@ -0,0 +1,5 @@ +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-no-policy/test.conf b/testing/tests/ikev1/rw-psk-no-policy/test.conf new file mode 100644 index 000000000..f622c18b7 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt new file mode 100644 index 000000000..b99a8e5b3 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt @@ -0,0 +1,5 @@ +The roadwarriors carol and dave each set up a connection to gateway moon. +carol's authentication is based on a Pre-Shared Key (PSK) whereas dave's +is based on an RSA signature (RSASIG). Gateway moon supports both authentication modes +and automatically selects the correct roadwarrior connection definition based on policy +information gained from pre-parsing the peers' ISAKMP proposal payload. diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat new file mode 100644 index 000000000..9e1354121 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::peer requests PSK authentication::YES +moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES + diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b142c75bb --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes128,serpent128,twofish128,3des + +conn home + authby=secret + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..1b721dc58 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..5916d8fd8 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + +conn rw-rsasig + authby=rsasig + leftcert=moonCert.pem + auto=add + +conn rw-psk + authby=secret + auto=add diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..fd33507a7 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: RSA moonKey.pem diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat new file mode 100644 index 000000000..ed530f6d9 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat new file mode 100644 index 000000000..35797b589 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat @@ -0,0 +1,7 @@ +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf new file mode 100644 index 000000000..699b88e88 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol dave winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-rsa-no-policy/description.txt b/testing/tests/ikev1/rw-rsa-no-policy/description.txt new file mode 100644 index 000000000..c3336b769 --- /dev/null +++ b/testing/tests/ikev1/rw-rsa-no-policy/description.txt @@ -0,0 +1,3 @@ +The roadwarrior carol wants to set up a connection to gateway moon using +RSASIG-based authentication. Since moon supports PSK-based +authentication only, the connection setup fails. diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat new file mode 100644 index 000000000..188b7bbb5 --- /dev/null +++ b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES +moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO + diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2abe3c147 --- /dev/null +++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw-psk + authby=secret + left=PH_IP_MOON + leftnexthop=%direct + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e8c151f05 --- /dev/null +++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat b/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat b/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat new file mode 100644 index 000000000..0d2a0dd1f --- /dev/null +++ b/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat @@ -0,0 +1,5 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-rsa-no-policy/test.conf b/testing/tests/ikev1/rw-rsa-no-policy/test.conf new file mode 100644 index 000000000..f622c18b7 --- /dev/null +++ b/testing/tests/ikev1/rw-rsa-no-policy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/self-signed/description.txt b/testing/tests/ikev1/self-signed/description.txt new file mode 100644 index 000000000..2d7bfc2bf --- /dev/null +++ b/testing/tests/ikev1/self-signed/description.txt @@ -0,0 +1,8 @@ +Roadwarrior carol and gateway moon each generate a +PKCS#1 RSA private key and a self-signed X.509 certificate +using the ipsec scepclient function. Because the UML testing +environment does not offer enough entropy, the non-blocking /dev/urandom +device is used in place of /dev/random for generating the random primes. +

+The self-signed certificates are then distributed to the peers via scp +and are used to set up a road warrior connection initiated by carol diff --git a/testing/tests/ikev1/self-signed/evaltest.dat b/testing/tests/ikev1/self-signed/evaltest.dat new file mode 100644 index 000000000..f190d7066 --- /dev/null +++ b/testing/tests/ikev1/self-signed/evaltest.dat @@ -0,0 +1,7 @@ +carol::cat /var/log/auth.log::we have a cert but are not sending it::YES +moon::cat /var/log/auth.log::we have a cert but are not sending it::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..93ea3a80e --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=peerCert.der + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..167d743df --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA myKey.der diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..13ad3063f --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..98b0030d8 --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn carol + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsendcert=never + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + rightcert=carolCert.der + auto=add + diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b9ec17dbc --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.der diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf new file mode 100644 index 000000000..b84f3e131 --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf @@ -0,0 +1,6 @@ +--debug-control +--keylength 2032 +--days 1460 +--subjectAltName dns=moon.strongswan.org +--out pkcs1=moonKey.der +--out cert-self=moonCert.der diff --git a/testing/tests/ikev1/self-signed/posttest.dat b/testing/tests/ikev1/self-signed/posttest.dat new file mode 100644 index 000000000..8cada5e7e --- /dev/null +++ b/testing/tests/ikev1/self-signed/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/self-signed/pretest.dat b/testing/tests/ikev1/self-signed/pretest.dat new file mode 100644 index 000000000..a7cddf677 --- /dev/null +++ b/testing/tests/ikev1/self-signed/pretest.dat @@ -0,0 +1,17 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec scepclient --out pkcs1 --out cert-self +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/scepclient.conf +moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf +moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der +moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/self-signed/test.conf b/testing/tests/ikev1/self-signed/test.conf new file mode 100644 index 000000000..0baa48d90 --- /dev/null +++ b/testing/tests/ikev1/self-signed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/starter-also-loop/description.txt b/testing/tests/ikev1/starter-also-loop/description.txt new file mode 100644 index 000000000..7451f4e12 --- /dev/null +++ b/testing/tests/ikev1/starter-also-loop/description.txt @@ -0,0 +1,4 @@ +This scenario is the same as test rw-cert but +uses the also parameter in moon's ipsec.conf in order to define +the connections in a modular form. A closed also loop created by including +conn host-host in conn moon is successfully detected. diff --git a/testing/tests/ikev1/starter-also-loop/evaltest.dat b/testing/tests/ikev1/starter-also-loop/evaltest.dat new file mode 100644 index 000000000..161772f8e --- /dev/null +++ b/testing/tests/ikev1/starter-also-loop/evaltest.dat @@ -0,0 +1,3 @@ +moon::cat /var/log/auth.log::detected also loop::YES +moon::cat /var/log/auth.log::errors in config::YES + diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b58d1deb7 --- /dev/null +++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf @@ -0,0 +1,47 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + also=host-host + also=moon-net + also=sun-net + +conn host-host + also=moon + also=sun + auto=add + +conn rw + right=%any + also=moon + also=moon-net + auto=add + +conn moon + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + also=host-host + +conn moon-net + leftsubnet=10.1.0.0/16 + +conn sun + right=PH_IP_SUN + rightid=@sun.strongswan.org + +conn sun-net + rightsubnet=10.2.0.0/16 diff --git a/testing/tests/ikev1/starter-also-loop/posttest.dat b/testing/tests/ikev1/starter-also-loop/posttest.dat new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev1/starter-also-loop/pretest.dat b/testing/tests/ikev1/starter-also-loop/pretest.dat new file mode 100644 index 000000000..b135b12c3 --- /dev/null +++ b/testing/tests/ikev1/starter-also-loop/pretest.dat @@ -0,0 +1,2 @@ +moon::ipsec start --debug-all +moon::sleep 1 diff --git a/testing/tests/ikev1/starter-also-loop/test.conf b/testing/tests/ikev1/starter-also-loop/test.conf new file mode 100644 index 000000000..e7735308f --- /dev/null +++ b/testing/tests/ikev1/starter-also-loop/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon" diff --git a/testing/tests/ikev1/starter-also/description.txt b/testing/tests/ikev1/starter-also/description.txt new file mode 100644 index 000000000..3d4ff7dbf --- /dev/null +++ b/testing/tests/ikev1/starter-also/description.txt @@ -0,0 +1,3 @@ +This scenario is the same as test rw-cert but +uses the also parameter in moon's ipsec.conf in order to define +the connections in a modular form. diff --git a/testing/tests/ikev1/starter-also/evaltest.dat b/testing/tests/ikev1/starter-also/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/ikev1/starter-also/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..09f3bb94d --- /dev/null +++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf @@ -0,0 +1,46 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + also=host-host + also=moon-net + also=sun-net + +conn host-host + also=moon + also=sun + auto=add + +conn rw + right=%any + also=moon + also=moon-net + auto=add + +conn moon + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn moon-net + leftsubnet=10.1.0.0/16 + +conn sun + right=PH_IP_SUN + rightid=@sun.strongswan.org + +conn sun-net + rightsubnet=10.2.0.0/16 diff --git a/testing/tests/ikev1/starter-also/posttest.dat b/testing/tests/ikev1/starter-also/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/starter-also/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/starter-also/pretest.dat b/testing/tests/ikev1/starter-also/pretest.dat new file mode 100644 index 000000000..4f96e61df --- /dev/null +++ b/testing/tests/ikev1/starter-also/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start --debug-all +sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/starter-also/test.conf b/testing/tests/ikev1/starter-also/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/ikev1/starter-also/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/starter-includes/description.txt b/testing/tests/ikev1/starter-includes/description.txt new file mode 100644 index 000000000..6a05c0cca --- /dev/null +++ b/testing/tests/ikev1/starter-includes/description.txt @@ -0,0 +1,6 @@ +This test is based on the mode-config +scenario and demonstrates the multiple use of the include +parameter in IPsec configuration files. At the top level /etc/ipsec.conf +defines the config setup section and includes /etc/ipsec.connections +which in turn includes /etc/ipsec.host and /etc/ipsec.peers/* +thereby showing the use of wildcards in path definitions. diff --git a/testing/tests/ikev1/starter-includes/evaltest.dat b/testing/tests/ikev1/starter-includes/evaltest.dat new file mode 100644 index 000000000..7de32d681 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2fd734579 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..128c4aa29 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..4e7bfc1b4 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +include /etc/ipsec.connections diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections new file mode 100644 index 000000000..7cd938628 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections @@ -0,0 +1,12 @@ +# /etc/ipsec.connections - connection definitions + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +include /etc/ipsec.host + +include /etc/ipsec.peers/* + diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host new file mode 100755 index 000000000..acf753cc0 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host @@ -0,0 +1,11 @@ +# /etc/ipsec.host - my host configuration + +conn %default + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP_MOON1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol new file mode 100644 index 000000000..84bedfef6 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol @@ -0,0 +1,8 @@ +# /etc/ipsec.peers/ipsec.carol - connection from carol + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + auto=add + diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave new file mode 100644 index 000000000..ee021c9be --- /dev/null +++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave @@ -0,0 +1,8 @@ +# /etc/ipsec.peers/ipsec.dave - connection from dave + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 + auto=add + diff --git a/testing/tests/ikev1/starter-includes/posttest.dat b/testing/tests/ikev1/starter-includes/posttest.dat new file mode 100644 index 000000000..ebf7525ef --- /dev/null +++ b/testing/tests/ikev1/starter-includes/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ip addr del PH_IP_DAVE1/32 dev eth0 +moon::rm /etc/ipsec.connections /etc/ipsec.host +moon::rm -r /etc/ipsec.peers diff --git a/testing/tests/ikev1/starter-includes/pretest.dat b/testing/tests/ikev1/starter-includes/pretest.dat new file mode 100644 index 000000000..b034a0c03 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/pretest.dat @@ -0,0 +1,11 @@ +moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/* +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start --debug-all +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/starter-includes/test.conf b/testing/tests/ikev1/starter-includes/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev1/starter-includes/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/strong-certs/description.txt b/testing/tests/ikev1/strong-certs/description.txt new file mode 100644 index 000000000..22b58668d --- /dev/null +++ b/testing/tests/ikev1/strong-certs/description.txt @@ -0,0 +1,6 @@ +This is a remote-access scenario with two roadwarriors carol and dave +setting up a connection each to the VPN gateway moon. Authentication is +based on strong X.509 certificates with SHA-2 signatures. +The X.509 certificate of the gateway moon uses a SHA-256 hash in +its signature whereas the certificates of the roadwarriors carol +and dave use SHA-384 and SHA-512, respectively. diff --git a/testing/tests/ikev1/strong-certs/evaltest.dat b/testing/tests/ikev1/strong-certs/evaltest.dat new file mode 100644 index 000000000..2fe4de76f --- /dev/null +++ b/testing/tests/ikev1/strong-certs/evaltest.dat @@ -0,0 +1,10 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..81d1ae8b6 --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + strictcrlpolicy=no + crlcheckinterval=180 + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert-sha384.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem new file mode 100644 index 000000000..d4b532323 --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEITCCAwmgAwIBAgIBETANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA2MTAwODEyMTI1MFoXDTExMTAwNzEyMTI1MFowWTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z +ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAtCwjB6Yni4jSTbPJ4GX0kM06nr2tDBdU0PH6dZra +IXNaNiBthBNPNDeCYAQDG/ouwuywAJ6L2Lt0GYEhJSwfXMm87fYSG8qRP+C/nlKz +3fCfsuZ8yOAo5NAp2kgvbFVdB5cMeOtid21UqUvDxkncjFRDgpERtrjSthalUFYu +ObIcSMPdlcDho73jzq6zVK5XDJ4l1LHUQLbS4SzyrphCYKekTIoDy3YwRUys6Pdm +4QlFBIXuBwOYHjclvVu0HQVNSM4nWAJd+204KUm/+8neO0kn1Yakv9yoa47o3KGP +3XjtmcgY9SqBbuF+8yDcZQ7+5zUBjc0J+d8txdPoIjLi7wIDAQABo4IBBjCCAQIw +CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFIUlEfDm3V0eDmRrpIvj +4FiPpGlpMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw +CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS +c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3 +YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAL5ZmFmy8lW4Vdwq +hWB6qTtLLa1wwCvTXwbV9V+F8dK39AvHj6CHFqTiFhAbGIq/Ryt9cg2XGy1TDjVj +hQEua7mjp8XH2j2NLY2SiFTMjchbHmMylFk2FrHy2ZnmlRCiH83TAw+EnUWsQKj+ +gL+7Of9SpiaaIblrl+aCiBVktRuXcFSaxjYWTVXOeTCwnxQdF2SNtUKDoCuVPk1J +XCrs86mj575xL/FGjyN4SVbjTEZ4lm1emxrf/RblZOhCKp7mUic8KyP0kf7o6X8E +MXXjq9fDQVrSDG/q62uhZu7CyInnBpWnoUKiMImSxRn/cs0r7RUspC5DtJyhE33Y +DW2BzIc= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..f719e4455 --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAtCwjB6Yni4jSTbPJ4GX0kM06nr2tDBdU0PH6dZraIXNaNiBt +hBNPNDeCYAQDG/ouwuywAJ6L2Lt0GYEhJSwfXMm87fYSG8qRP+C/nlKz3fCfsuZ8 +yOAo5NAp2kgvbFVdB5cMeOtid21UqUvDxkncjFRDgpERtrjSthalUFYuObIcSMPd +lcDho73jzq6zVK5XDJ4l1LHUQLbS4SzyrphCYKekTIoDy3YwRUys6Pdm4QlFBIXu +BwOYHjclvVu0HQVNSM4nWAJd+204KUm/+8neO0kn1Yakv9yoa47o3KGP3XjtmcgY +9SqBbuF+8yDcZQ7+5zUBjc0J+d8txdPoIjLi7wIDAQABAoIBAGmMhcUAYKBMui8N +CVHtSJXftNyz74Fq1aRGbdyhp/H6urmEy8OY8Eh90GHhV9T2/pfwwrbKKtEAF+at +EDbPn1vjT0v0YO1pAShzyK2+c2KsiVHr1uRy9WH+VNZsfWOwqnw8z/CyrI+cPAGl +wf4S3SJUZuxBgigSJFbJ83SZ2CCxrF3xyGyHxqiFWp0QMV2FPR3zedmwQiZTJft5 +fu3K5n8xlhHoiS32fuM57eNKKxt0v50JcobpT4uXBqPCrffOlORnjISRoWt/coSy +pmj1GFyRaaM5StvaEcowdZejIeVInhM+T1WEQ6mxog/JkzBPBStuSdCKxccqiTRs +ZO4i8xkCgYEA2KBVcgot6LB/UmYkXF2roaag/PYL7V0wdcF3BMJ2rwdT67fIaKm3 +aroxZpVauRLknH8epFpPpxbbLdyBjkNCuwB4NMKGwTZLzN+mFsQKLtFAxz959pPx +df5G30CmU09pJ+99C1m3AF295tOd4LTsw6OjyqUJpwl0y10EBg/FwN0CgYEA1OuY +jU8s029Hv6/2HB22rw5UN4Lj/ori/6SGZ5pHAdQVCooVaEd7HRgzPQKXGGMeNAxH +7oCVJWz16+XHDzyRVnjErn9Ux1mr/axiAiFC5MeNIHT1EZ8/NUCZJ14PANWobJpt +ft55BiNd92ygzVVsJgDzuWF87MILhk9AA7buMDsCgYBrPm0uyQVTZlWSOIkVxTXc +EH8w3Kqo93KvSXkfvRo+qpUMZG7uCd+JEea1D4nbiBPvuis0WJWIdhNKUBk/keLu +a1wXWpqV+shqA+rY6HLWHLhCLBW4UiO/M4RosDvnkK/RmonAXcjwgHgsV2WYwllY +vaGwCCaQMGlG6KS+T36qbQKBgELciNc3Gbh7pWhIdVx26DsooMGd1MLGEmp828gE +5m9ojgL1QauxZrPIOa7a9V+vIHjvslbvAebyxHcDfPMH7gvdeMXjLlg7jIroaw6I +K110XJjooVybSVoLowx9uPBmJ7GS/PduHUsUKBneftB8Fq4IdoCsYHJorP3MPSnt +c/apAoGANwqIIdgf+Lu17kDO0svQDzuZR5cRCmGZ8BpC+SpT49VpRaitYNqbSgVy +kOzXK1ZrO7nPnGkOQQjcaZZjKrUaMFMECFhNTwAv1RQZgkYDA8yAIC0MyACrwiGp +5fg/ZwLjlOuiJZ3sEUwRsrp72DwXE3x6X0+bJOr+KlPEq200E84= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..468be8afb --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + strictcrlpolicy=no + crlcheckinterval=180 + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert-sha512.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem new file mode 100644 index 000000000..73088cd1d --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBEjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA2MTAwODEyMjExMloXDTExMTAwNzEyMjExMlowWDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01 +MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDL4+PsltDM0QCCS08tkefhll5Q0nb2VEdRZotBIdt6 +XEY1kmDlw0yQOp0XUznnIhcrxXpKeWpLqJdbo56jSxMaUB3Mod1u+aKvVhCgkOT8 +uQa7gIdcNMuXnfnch7yYYS6YxVfzdr/qXBxmVYNbR9sXy48vAD6glZLEVjDITHJO +a6tEVSrAOMyeuA9XTYJiGw5loj63YbUr6Ikp6W9SncPCtfX6G2Amk38MTuITu93W +Pd/bGB06ra6gmMQGAhXuGs14n3QZfQz9PWTp9TPsQNqQZdEjQyNdfeAKtPuz5jnO +cnZuhvVR0q4sxWuy64vkyZ57luTZAXyxdInBeBOp7sC3AgMBAAGjggEFMIIBATAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0wvMMeoe59mocM/RiYnD +iw9NUm0wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQC/uKe2O9elbSFgpKP5 +7ZjJrCkYu493iH/PDm5G4D76q6WkRvZDqTgGDSIrXrt1xRLIsVJES+HERxfED0DB +yXNe22p1jR8iZdCesZxmEsKYyLh9XmeixKCfnLvStWCVs0+vqwhJlIkyEAveZ4HR +Yq121khdmCDDUugpjEl/nU7CLvCRVgFrlhDm1QLs2rYqxwQrJ2SH4/1W0YRdkY2R +vKZ2ngjLBNjBfXWNXSOpEAG367nVam5lFAepUC0wZTshyCUXt1NzClTnxWABm6M6 +x2Qwg4D6Qt5iXSjR8+DGVh+LaBL/alQi1YYcjkxufdFHnko294c0HsZcTZ3KRghk +ue1F +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..a4a8a4f22 --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAy+Pj7JbQzNEAgktPLZHn4ZZeUNJ29lRHUWaLQSHbelxGNZJg +5cNMkDqdF1M55yIXK8V6SnlqS6iXW6Oeo0sTGlAdzKHdbvmir1YQoJDk/LkGu4CH +XDTLl5353Ie8mGEumMVX83a/6lwcZlWDW0fbF8uPLwA+oJWSxFYwyExyTmurRFUq +wDjMnrgPV02CYhsOZaI+t2G1K+iJKelvUp3DwrX1+htgJpN/DE7iE7vd1j3f2xgd +Oq2uoJjEBgIV7hrNeJ90GX0M/T1k6fUz7EDakGXRI0MjXX3gCrT7s+Y5znJ2bob1 +UdKuLMVrsuuL5Mmee5bk2QF8sXSJwXgTqe7AtwIDAQABAoIBAH9mxAoW5xvEUTQZ +SL1p2WH9qquIB2u+l93GXKdzN4iK1hgtgjyvv0y0Q2rKx3iktaPVPqgAnCnwi7to +Tv0sMSCVBTnTvuDUPhKfjb43K8668vkAxBQarUjtHq7tZiw1NX+ieGWaQyt3KQvM +zUqhaMbCnJK67Wc8bzwdu1e9ZQOYZlRWke4G8OU3GFkG5XsOPnoQySWAlhB6VEjv +qUZ6BS8SYTy0Rdzyjc35a3cvtDUqs0MOFVJ+gW44bje2B9X+59Wc8m1PJUf9P5+4 +HyNJl3BYfMUobfDuoSKBtcJtudGClUpBSCvBV34X3cYS//jNTuQxfZVc1HJym94C +uHj63wECgYEA/7ZyDDGap7dZahmhsU1a7H69zSrhwZDj9SozSnbWHfpml2yleLYO +fh94Jf8iL8yA4taS7JlB0YCuvvBsvXez2aD2Alh5rYqKYA/TROEXz+MLr4fqwi/X +ZvG1O5oM1/rJPQ06TKzEsYyAUKY3vInivrzUKIv0UP9D9HdkFWAvTYECgYEAzB6J +0Rrn15LFGhpzC3m2QH6EjWpoD8FMgGyV9E86d/v8kwBGvxRL8uma/mqP2A3okfuw +8ONP2HgXM7mUkr5wN9XbSuTRRUkDBsV9+tmR4pzMhKfiXZTekPIfaXTA60Fp9Ip8 +ddojWjs9P57ayxL6YVU/Y6uAON9Jbi7jH5DmGjcCgYEAjSjYGGchqsgKMgnoOoor +UTY97I5phYNIc8RSAB9N38qk655sUhCeO31/w+nto1lPJOmyva10qgRRctIiFQ2J +WPAEHhNdSDGcZZ8Wz4U6seXyQ3nSXFQwooF3vGk0Ad5NTMiKkF0nT6PyCZNYXVn4 +s7Zln+RygGwJxWBK/YnVUwECgYARgPzohZokDl4AowwCi+lpFnBfgCR0VWsuCCHD +1Zd5+o3qPTfT4vWwWwADmTfEm0y6WA8QWS3brlCvCtcGznXpE9m+TmjzvBMaXY00 +Gbw85p1TMuJijAWaAGlZLb3tbqqbYdTSdmZZsoLKFeFFUNdPyXOqJGbWea9eV376 +kf5peQKBgF5S8s7A73IqmvUcfGLdg91ff4PGkDhDjNt+hzACX9pk0LQiCBSM28Tm +bYwKy3P/Id7lfkPqe/lyTxBMVThBMIgW676g1yNKz21l2L5qakZQvunfqNfaV3iP +Y0i+BmuXM/SjEP+agX9hVyUZfqxITqUUgHA7GIP1O4/LJAZCbd/X +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..9031f323a --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7aed142a4 --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + strictcrlpolicy=no + crlcheckinterval=180 + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert-sha256.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem new file mode 100644 index 000000000..307f4953e --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA2MTAwODEwNTgxMVoXDTExMTAwNzEwNTgxMVowWDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y +NTYxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDzXHm8D8sY1lmX7o1KK0jt/M+UzAI2Ifpx7nAqoviH +XQIPe56BOAm4zHhEIlojEMFd1nncplXvDDGjuV/2F0KK1bFxbNtom88Ix1jrRWtk +FLopYwj3ERC2970OhNO3nuPLrnEAzj6k3XPGMTA3drGnpRf162f7mHAdmYIRXtWm +mfaecs4wGFs8BFGdeDfo6SPhQXZSBwZqjzQxvk1PA7E1qifgR5IGNZkNQRQ9IZD0 +86xzjmZgg5DaJcQKw45elpiVKQN6OkdWTngR3uUBfseWNeRGP5UxCUbDnPijWUbA +6ZAdEfFXLgSpSoXHLNttvGg+SWm0kgKTpHYWYhvpflKNAgMBAAGjggEFMIIBATAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0gL3aEo/H8c/Ld/GkBTb +W9Ma+nUwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCItzRn3TNWUzczBd8z +MtdPEsRl5Oi4fV3UecQxhjxAmJDLsEZT5I4uNa1XoLkJm6jVdSL7k+bjzjmpNJ1H +uL49cqia2yTdGP4IU0K8dTGaflg3ccaLLGGXTWU/NtgdI1o6yuZTwb6a9ZL7wWZT +x21BAsvyPTzCpUS1yCK4bFeYOxOYDphUGcwb0JTuRxx2/710b+p64BYiCfVkQJxT +eF1ZtjSW6nJgzMRg5n2zNpdrdXMMCPI6Nl7V6wxbs3Cphmz5qx3lijwi7nZt+jE5 +qK5gphph1MkKIhnA7MF66KEcx5Rknao68yLBBDIA/AISZ3bCIj8R1SGgl/tMYfep +sbRF +-----END CERTIFICATE----- diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..58ddc1525 --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA81x5vA/LGNZZl+6NSitI7fzPlMwCNiH6ce5wKqL4h10CD3ue +gTgJuMx4RCJaIxDBXdZ53KZV7wwxo7lf9hdCitWxcWzbaJvPCMdY60VrZBS6KWMI +9xEQtve9DoTTt57jy65xAM4+pN1zxjEwN3axp6UX9etn+5hwHZmCEV7Vppn2nnLO +MBhbPARRnXg36Okj4UF2UgcGao80Mb5NTwOxNaon4EeSBjWZDUEUPSGQ9POsc45m +YIOQ2iXECsOOXpaYlSkDejpHVk54Ed7lAX7HljXkRj+VMQlGw5z4o1lGwOmQHRHx +Vy4EqUqFxyzbbbxoPklptJICk6R2FmIb6X5SjQIDAQABAoIBAFl1Rf6eo57mtJqI +A4IfNTjetQPSloGFrgWRi8PwkoFX7Dj6zUJc8h3vc8pAAnhfYWV4QOWec3pjNiAk +NaVF2Z0lfoveYy0qEUn91a7untJ0WBZ8pEAGEunfWazroNQf4UbvQfT028xI55UU +YdARnq6snok01s2CtLv8wPZXsRwDRzs3FGg+S9ZCyYJ/NdRVn9JdjJLqi79mqGqM +il2bia6xmS7C/FVbHo3qS1G3WTXuwN6wLRihAzAzgvByeRnj1P3XuBU5xdAUwulm +6/LAcdZ/teWhR0z/NGAkCJ5NZa9u6u0OAyc6HSrPG6sGo8fQjXNWUIMwP2ucpg8q +Cvxt0GECgYEA/xfPo9d3cAFCnrBkefamtOU2jOOJeFVoapYQpEpOR0soTKx1BqUz +MWoqDuwjQTutwmfOlsDCL7T7QCQwAOQ4jwNdxwTm1EysNojVTkwoFJBicmvjrjof +MYyXv6EuDJnSDSmeTLuiDL91VoYgE1IeJjrunDLTCEFYBObI/LOjCmUCgYEA9Dn8 +a5wm15t4pSFJl81vLfY8lz4FtCWYygqmafh1HEb8UOAFZAEtCe7ulb1E4ce/IaNt +/YALjbMFT5D0jhRwmljBLHzJh3v9H0jl/0vudXxrzS7bqfHnbB0enJWsZBCfDBA6 +hiZd645F4gJyWcI/MQXP199w+UgV/v80XGyFUQkCgYBejo/8VrFCRmVQd2g3QXOY +GGL5JJrfjSEwaUHv9E9B5B0jFsYmWXQ5e/XtJCEJXDrTljEg9oDEuFxt8TwOCIri +kEfhrvJ1fZpUeLJA3L/6p26mpVF3UrofXtMdSHzOVPJkyKmSHfc6rHmtQfh/0O+2 +EiBCrCBHrhkXcAjOizQDdQKBgQDNb9l9S6UAyK77eLzHDO/w4aimMG3r05Rqn/rM +OUuJtcyY21itfq+8I1hebQ98POHyEd971jHhyC03eN++hEMUEoSsP2vmo82Qe2m9 +DspP2ZF0z23Hzsy0jOorHVwd8D1ZkG0qWyu18b+nFhfKmTM+sXzcQgBuMM0P6uzI +siCSwQKBgCOPBbSSXEIMUAKcsJ0p+j2fEy6CKmb/lOu+Aw1uvVNZI+xoOuXTmj9h +Jf79Lbhj16vmj0BPhRPyVEpgGIbNLiAU8518xGGaNdJgxQONwn9UGSJz4bgsbNBj +icwIRVYbKF13EKJp50tFpY+4FK2Z6Bg2KXh5RWWQdYcTApWBjyrZ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev1/strong-certs/posttest.dat b/testing/tests/ikev1/strong-certs/posttest.dat new file mode 100644 index 000000000..fc0fbeb38 --- /dev/null +++ b/testing/tests/ikev1/strong-certs/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/private/* +dave::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/certs/* +dave::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/strong-certs/pretest.dat b/testing/tests/ikev1/strong-certs/pretest.dat new file mode 100644 index 000000000..de51ccdfa --- /dev/null +++ b/testing/tests/ikev1/strong-certs/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/strong-certs/test.conf b/testing/tests/ikev1/strong-certs/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev1/strong-certs/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/virtual-ip-swapped/description.txt b/testing/tests/ikev1/virtual-ip-swapped/description.txt new file mode 100644 index 000000000..230906c5d --- /dev/null +++ b/testing/tests/ikev1/virtual-ip-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test virtual-ip but with +swapped end definitions: right denotes the local side whereas +left stands for the remote peer. diff --git a/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat b/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat new file mode 100644 index 000000000..23e109838 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..f4f2dedd0 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_CAROL + rightsourceip=PH_IP_CAROL1 + rightnexthop=%direct + rightcert=carolCert.pem + rightid=carol@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..de7f07eb9 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + right=PH_IP_MOON + rightsourceip=PH_IP_MOON1 + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightfirewall=yes + leftsubnetwithin=10.3.0.0/16 + left=%any + auto=add diff --git a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat b/testing/tests/ikev1/virtual-ip-swapped/posttest.dat new file mode 100644 index 000000000..2116e86e0 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip-swapped/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 diff --git a/testing/tests/ikev1/virtual-ip-swapped/pretest.dat b/testing/tests/ikev1/virtual-ip-swapped/pretest.dat new file mode 100644 index 000000000..4fe0ee90b --- /dev/null +++ b/testing/tests/ikev1/virtual-ip-swapped/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/virtual-ip-swapped/test.conf b/testing/tests/ikev1/virtual-ip-swapped/test.conf new file mode 100644 index 000000000..f106524e2 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/virtual-ip/description.txt b/testing/tests/ikev1/virtual-ip/description.txt new file mode 100644 index 000000000..4ec6021ea --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/description.txt @@ -0,0 +1,8 @@ +The roadwarrior carol sets up a connection to gateway moon. Both carol +and moon define a static virtual IP using the leftsourceip parameter. +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, carol pings the client alice +behind the gateway moon as well as the inner interface of the gateway. The source IP +of the two pings will be the virtual IP carol1. Also thanks to its virtual IP moon1 +the gateway moon is able to ping carol1 by using the existing subnet-subnet IPsec +tunnel. diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1/virtual-ip/evaltest.dat new file mode 100644 index 000000000..23e109838 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a863df33e --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=PH_IP_CAROL1 + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..c0310692a --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftsourceip=PH_IP_MOON1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + rightsubnetwithin=10.3.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1/virtual-ip/posttest.dat new file mode 100644 index 000000000..2116e86e0 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat new file mode 100644 index 000000000..0b2ae8d2b --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1/virtual-ip/test.conf new file mode 100644 index 000000000..f106524e2 --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/wildcards/description.txt b/testing/tests/ikev1/wildcards/description.txt new file mode 100644 index 000000000..e485f7066 --- /dev/null +++ b/testing/tests/ikev1/wildcards/description.txt @@ -0,0 +1,8 @@ +The VPN gateway moon controls the access to the hosts alice and +venus by means of wildcard parameters that must match the subject +Distinguished Name contained in the peer's X.509 certificate. Access to +alice is granted for DNs containing a OU=Research field whereas venus +can only be reached with a DN containing OU=Accounting. The roadwarriors +carol and dave belong to the departments 'Research' and 'Accounting', +respectively. Therefore carol can access alice and dave +can reach venus. diff --git a/testing/tests/ikev1/wildcards/evaltest.dat b/testing/tests/ikev1/wildcards/evaltest.dat new file mode 100644 index 000000000..cbc94b75a --- /dev/null +++ b/testing/tests/ikev1/wildcards/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..d6d32a39d --- /dev/null +++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..6156fadba --- /dev/null +++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..162e22c43 --- /dev/null +++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*" + auto=add diff --git a/testing/tests/ikev1/wildcards/posttest.dat b/testing/tests/ikev1/wildcards/posttest.dat new file mode 100644 index 000000000..ed530f6d9 --- /dev/null +++ b/testing/tests/ikev1/wildcards/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/ikev1/wildcards/pretest.dat b/testing/tests/ikev1/wildcards/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/ikev1/wildcards/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/ikev1/wildcards/test.conf b/testing/tests/ikev1/wildcards/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/ikev1/wildcards/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/wlan/description.txt b/testing/tests/ikev1/wlan/description.txt new file mode 100644 index 000000000..e018148bd --- /dev/null +++ b/testing/tests/ikev1/wlan/description.txt @@ -0,0 +1,15 @@ +The WLAN clients alice and venus secure all their wireless traffic +by setting up an IPsec tunnel to gateway moon. The VPN network mask is +0.0.0.0/0. Traffic with destination outside the protected 10.1.0.0/10 network +is NAT-ed by router moon. The IPsec connections are tested by pings from +alice to venus tunneled via moon and to both the internal +and external interface of gateway moon. Access to the gateway is +set up by lefthostaccess=yes in conjunction with leftfirewall=yes. +At last alice and venus ping the external host sun via the NAT router. +

+The host system controls the UML instances alice and carol via +ssh commands sent over the virtual tap1 interface. In order to keep up +the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel +to the gateway moon an auxiliary passthrough eroute restricted +to the ssh port is statically set up by conn system. + diff --git a/testing/tests/ikev1/wlan/evaltest.dat b/testing/tests/ikev1/wlan/evaltest.dat new file mode 100644 index 000000000..079ac4429 --- /dev/null +++ b/testing/tests/ikev1/wlan/evaltest.dat @@ -0,0 +1,11 @@ +alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES +alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::tcpdump::ESP::YES +sun::tcpdump::ICMP::YES diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..86a76e2db --- /dev/null +++ b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..665ce592f --- /dev/null +++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn system + left=PH_IP_ALICE + leftprotoport=tcp/ssh + leftnexthop=%direct + authby=never + type=passthrough + right=10.1.0.254 + rightprotoport=tcp + auto=route + +conn wlan + left=PH_IP_ALICE + leftnexthop=%direct + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_MOON1 + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..e95ef44c6 --- /dev/null +++ b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables @@ -0,0 +1,82 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth1 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # enable SNAT + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..44f980422 --- /dev/null +++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn alice + right=PH_IP_ALICE + rightid=alice@strongswan.org + also=wlan + auto=add + +conn venus + right=PH_IP_VENUS + rightid=@venus.strongswan.org + also=wlan + auto=add + +conn wlan + left=PH_IP_MOON1 + leftnexthop=%direct + leftsubnet=0.0.0.0/0 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + lefthostaccess=yes + diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..6f95e7576 --- /dev/null +++ b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..5d861548d --- /dev/null +++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn system + left=PH_IP_VENUS + leftprotoport=tcp/ssh + leftnexthop=%direct + authby=never + type=passthrough + right=10.1.0.254 + rightprotoport=tcp + auto=route + +conn wlan + left=PH_IP_VENUS + leftnexthop=%direct + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + right=PH_IP_MOON1 + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + diff --git a/testing/tests/ikev1/wlan/posttest.dat b/testing/tests/ikev1/wlan/posttest.dat new file mode 100644 index 000000000..6bd2379d8 --- /dev/null +++ b/testing/tests/ikev1/wlan/posttest.dat @@ -0,0 +1,8 @@ +moon::iptables -t nat -v -n -L POSTROUTING +moon::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +moon::/etc/init.d/iptables stop 2> /dev/null +moon::conntrack -F diff --git a/testing/tests/ikev1/wlan/pretest.dat b/testing/tests/ikev1/wlan/pretest.dat new file mode 100644 index 000000000..de4a6ad31 --- /dev/null +++ b/testing/tests/ikev1/wlan/pretest.dat @@ -0,0 +1,11 @@ +moon::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +alice::ipsec start +venus::ipsec start +alice::sleep 2 +alice::ipsec up wlan +venus::sleep 2 +venus::ipsec up wlan +venus::sleep 2 diff --git a/testing/tests/ikev1/wlan/test.conf b/testing/tests/ikev1/wlan/test.conf new file mode 100644 index 000000000..b141c4f1b --- /dev/null +++ b/testing/tests/ikev1/wlan/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon:eth1 sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus moon" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-psk-mode-config/description.txt new file mode 100644 index 000000000..9abe6298c --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on Pre-Shared Keys (PSK) +followed by extended authentication (XAUTH) of carol and dave +based on user names and passwords. Next carol and dave request a +virtual IP via the IKE Mode Config protocol by using the +leftsourceip=%modeconfig parameter. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat new file mode 100644 index 000000000..15dd054a0 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat @@ -0,0 +1,18 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES +moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..3fd0ebf85 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftsourceip=%modeconfig + leftnexthop=%direct + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..70ea1dab6 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: XAUTH carol "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..8d20a5d20 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftsourceip=%modeconfig + leftnexthop=%direct + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..0690d9cde --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..66f705e79 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + xauth=server + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftnexthop=%direct + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add + +conn carol + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + +conn dave + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..1ea69f998 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat new file mode 100644 index 000000000..42fa8359b --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat new file mode 100644 index 000000000..95a6be131 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat @@ -0,0 +1,12 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-psk-mode-config/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-psk/description.txt b/testing/tests/ikev1/xauth-psk/description.txt new file mode 100644 index 000000000..0ac2043c2 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on Pre-Shared Keys (PSK) +followed by extended authentication (XAUTH) of carol and dave +based on user names and passwords. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat new file mode 100644 index 000000000..e1dc6b5b0 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..3e8ddf0fe --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..70ea1dab6 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: XAUTH carol "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..9aee88cfe --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_DAVE + leftnexthop=%direct + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..0690d9cde --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..dfaa44521 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + xauth=server + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..047d6c235 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat new file mode 100644 index 000000000..95a6be131 --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/pretest.dat @@ -0,0 +1,12 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt new file mode 100644 index 000000000..83e9d2726 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt @@ -0,0 +1,5 @@ +The roadwarrior carol sets up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 +certificates followed by extended authentication (XAUTH) based +on user name and password. Because user carol presents a wrong +XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat b/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat new file mode 100644 index 000000000..0bcef388d --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat @@ -0,0 +1,4 @@ +carol::cat /var/log/auth.log::extended authentication failed::YES +moon::cat /var/log/auth.log::extended authentication failed::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..d49bc1490 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..24506be09 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +: XAUTH carol "4iChxLT8" diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6a48cf6ee --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + xauth=server + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..a18e885f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +: XAUTH carol "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-fail/posttest.dat b/testing/tests/ikev1/xauth-rsa-fail/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat new file mode 100644 index 000000000..1b8fc3b79 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/xauth-rsa-fail/test.conf b/testing/tests/ikev1/xauth-rsa-fail/test.conf new file mode 100644 index 000000000..5442565f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/description.txt b/testing/tests/ikev1/xauth-rsa-mode-config/description.txt new file mode 100644 index 000000000..aa2b31542 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 certificates +followed by extended authentication (XAUTH) of carol and dave +based on user names and passwords. Next both carol and dave request a +virtual IP via the IKE Mode Config protocol by using the +leftsourceip=%modeconfig parameter. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat new file mode 100644 index 000000000..15dd054a0 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat @@ -0,0 +1,18 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES +moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..90539650f --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..48fd260c1 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +: XAUTH carol "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..19618145d --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..14f088501 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..eccdc2b70 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + xauth=server + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add + +conn rw-carol + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + +conn rw-dave + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..8d41919fc --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat new file mode 100644 index 000000000..42fa8359b --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat new file mode 100644 index 000000000..78e2d57f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/test.conf b/testing/tests/ikev1/xauth-rsa-mode-config/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt new file mode 100644 index 000000000..ffbb47c04 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt @@ -0,0 +1,6 @@ +The roadwarrior carol sets up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 +certificates followed by extended authentication (XAUTH) based +on user name and password. Because user carol cannot find her +XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the +ISAKMP SA is deleted. diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat new file mode 100644 index 000000000..ddbb3ae2d --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat @@ -0,0 +1,4 @@ +carol::cat /var/log/auth.log::xauth user credentials not found::YES +moon::cat /var/log/auth.log::received FAIL status in XAUTH reply::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..d49bc1490 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..6a2aea811 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6a48cf6ee --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + xauth=server + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..a18e885f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +: XAUTH carol "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/test.conf b/testing/tests/ikev1/xauth-rsa-nosecret/test.conf new file mode 100644 index 000000000..5442565f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/xauth-rsa/description.txt b/testing/tests/ikev1/xauth-rsa/description.txt new file mode 100644 index 000000000..0cdaba1c5 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 certificates +followed by extended authentication (XAUTH) of carol and dave +based on user names and passwords. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat new file mode 100644 index 000000000..e1dc6b5b0 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d49bc1490 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..48fd260c1 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +: XAUTH carol "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..5c1de3372 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..14f088501 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a997fb73f --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + xauth=server + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..8d41919fc --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat new file mode 100644 index 000000000..78e2d57f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" -- cgit v1.2.3