From 7585facf05d927eb6df3929ce09ed5e60d905437 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 7 Feb 2013 13:27:27 +0100 Subject: Imported Upstream version 5.0.2 --- testing/tests/ikev2/nat-rw-mark/description.txt | 2 +- testing/tests/ikev2/nat-rw-mark/evaltest.dat | 20 +++++++++--------- .../ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules | 24 ++++++++++++++++++++++ .../ikev2/nat-rw-mark/hosts/sun/etc/mark_updown | 16 ++++++++++++--- testing/tests/ikev2/nat-rw-mark/posttest.dat | 9 ++++---- testing/tests/ikev2/nat-rw-mark/pretest.dat | 19 ++++++++--------- testing/tests/ikev2/nat-rw-mark/test.conf | 10 ++++----- 7 files changed, 67 insertions(+), 33 deletions(-) create mode 100644 testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules (limited to 'testing/tests/ikev2/nat-rw-mark') diff --git a/testing/tests/ikev2/nat-rw-mark/description.txt b/testing/tests/ikev2/nat-rw-mark/description.txt index 2a93d11d8..b8074e665 100644 --- a/testing/tests/ikev2/nat-rw-mark/description.txt +++ b/testing/tests/ikev2/nat-rw-mark/description.txt @@ -1,7 +1,7 @@ The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway sun uses Source NAT -after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively. +after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively.

In order to differentiate between the tunnels to alice and venus, respectively, XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat index db9e969d2..bb8e856cc 100644 --- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat +++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat @@ -6,13 +6,13 @@ sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@ sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES sun:: ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES -bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4510.*: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4520.*: UDP::YES +bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown index 0d22e684d..421335ffb 100755 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown @@ -73,8 +73,12 @@ # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. @@ -128,9 +132,15 @@ # contains the remote UDP port in the case of ESP_IN_UDP # encapsulation # +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# # define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH # uncomment to log VPN connections diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat index 89d5f534b..72dff4e10 100644 --- a/testing/tests/ikev2/nat-rw-mark/posttest.dat +++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat @@ -2,10 +2,11 @@ sun::iptables -t mangle -v -n -L PREROUTING sun::ipsec stop alice::ipsec stop venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables-restore < /etc/iptables.flush moon::conntrack -F +sun::iptables-restore < /etc/iptables.flush sun::conntrack -F sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat index 3ed13d5fa..6cddfd4fe 100644 --- a/testing/tests/ikev2/nat-rw-mark/pretest.dat +++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat @@ -1,21 +1,20 @@ -sun::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10 +sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20 sun::ipsec start alice::ipsec start venus::ipsec start -alice::sleep 2 +alice::sleep 2 alice::ipsec up nat-t -venus::sleep 2 +venus::sleep 2 venus::ipsec up nat-t venus::sleep 2 diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2/nat-rw-mark/test.conf index ae3c190b8..105472cbe 100644 --- a/testing/tests/ikev2/nat-rw-mark/test.conf +++ b/testing/tests/ikev2/nat-rw-mark/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon winnetou sun bob" +VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon bob" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" -- cgit v1.2.3