From c1343b3278cdf99533b7902744d15969f9d6fdc1 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 2 Jan 2013 14:18:20 +0100 Subject: Imported Upstream version 5.0.1 --- .../tests/openssl-ikev2/alg-blowfish/evaltest.dat | 27 +++++++++++----------- .../alg-blowfish/hosts/carol/etc/ipsec.conf | 5 +--- .../alg-blowfish/hosts/carol/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/dave/etc/ipsec.conf | 5 +--- .../alg-blowfish/hosts/dave/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/moon/etc/ipsec.conf | 5 +--- .../alg-blowfish/hosts/moon/etc/strongswan.conf | 2 +- .../tests/openssl-ikev2/alg-camellia/evaltest.dat | 14 +++++------ .../alg-camellia/hosts/carol/etc/ipsec.conf | 3 --- .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../alg-camellia/hosts/moon/etc/ipsec.conf | 3 --- .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../tests/openssl-ikev2/alg-ecp-high/evaltest.dat | 19 +++++++++------ .../alg-ecp-high/hosts/carol/etc/ipsec.conf | 5 +--- .../alg-ecp-high/hosts/carol/etc/strongswan.conf | 6 +---- .../alg-ecp-high/hosts/dave/etc/ipsec.conf | 5 +--- .../alg-ecp-high/hosts/dave/etc/strongswan.conf | 6 +---- .../alg-ecp-high/hosts/moon/etc/ipsec.conf | 3 --- .../alg-ecp-high/hosts/moon/etc/strongswan.conf | 6 +---- .../tests/openssl-ikev2/alg-ecp-low/evaltest.dat | 19 +++++++++------ .../alg-ecp-low/hosts/carol/etc/ipsec.conf | 5 +--- .../alg-ecp-low/hosts/carol/etc/strongswan.conf | 6 +---- .../alg-ecp-low/hosts/dave/etc/ipsec.conf | 5 +--- .../alg-ecp-low/hosts/dave/etc/strongswan.conf | 6 +---- .../alg-ecp-low/hosts/moon/etc/ipsec.conf | 5 +--- .../alg-ecp-low/hosts/moon/etc/strongswan.conf | 6 +---- .../openssl-ikev2/critical-extension/evaltest.dat | 8 +++---- .../critical-extension/hosts/moon/etc/ipsec.conf | 3 --- .../hosts/moon/etc/strongswan.conf | 2 +- .../critical-extension/hosts/sun/etc/ipsec.conf | 3 --- .../hosts/sun/etc/strongswan.conf | 2 +- .../tests/openssl-ikev2/ecdsa-certs/evaltest.dat | 19 +++++++++------ .../ecdsa-certs/hosts/carol/etc/ipsec.conf | 3 --- .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 2 +- .../ecdsa-certs/hosts/dave/etc/ipsec.conf | 3 --- .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 2 +- .../ecdsa-certs/hosts/moon/etc/ipsec.conf | 3 --- .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 2 +- .../tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat | 15 ++++++------ .../ecdsa-pkcs8/hosts/carol/etc/ipsec.conf | 3 --- .../ecdsa-pkcs8/hosts/carol/etc/strongswan.conf | 2 +- .../ecdsa-pkcs8/hosts/dave/etc/ipsec.conf | 3 --- .../ecdsa-pkcs8/hosts/dave/etc/strongswan.conf | 2 +- .../ecdsa-pkcs8/hosts/moon/etc/ipsec.conf | 3 --- .../ecdsa-pkcs8/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/openssl-ikev2/rw-cert/evaltest.dat | 13 +++++++---- .../rw-cert/hosts/carol/etc/ipsec.conf | 3 --- .../rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../rw-cert/hosts/dave/etc/ipsec.conf | 3 --- .../rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../rw-cert/hosts/moon/etc/ipsec.conf | 3 --- .../rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../openssl-ikev2/rw-eap-tls-only/evaltest.dat | 6 ++--- .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 2 -- .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 2 +- 57 files changed, 114 insertions(+), 184 deletions(-) mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf mode change 100755 => 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf (limited to 'testing/tests/openssl-ikev2') diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat index f1b33895b..3787bdb68 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat @@ -1,16 +1,17 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES +dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES +dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES +dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES -dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES -dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES +dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index 62e181012..adee238e6 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default keyingtries=1 keyexchange=ikev2 ike=blowfish256-sha512-modp2048! - esp=blowfish192-sha256! + esp=blowfish192-sha384! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index bdbdad2e5..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf old mode 100755 new mode 100644 index 26f3f3a04..e22322431 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default keyingtries=1 keyexchange=ikev2 ike=blowfish128-sha256-modp1536! - esp=blowfish128-sha1! + esp=blowfish128-sha256! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf index bdbdad2e5..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index 31a00f7fb..43bbb36a9 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -12,7 +9,7 @@ conn %default keyingtries=1 keyexchange=ikev2 ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! - esp=blowfish192-sha256,blowfish128-sha1! + esp=blowfish192-sha384,blowfish128-sha256! conn rw left=PH_IP_MOON diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index bdbdad2e5..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat index d77c4806e..5b5c94fb1 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat @@ -1,11 +1,11 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES -carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES -carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES -moon::ip xfrm state::enc cbc(camellia)::YES +moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index 37f8a7ecf..004295437 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index e96dfe574..c4ac99166 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index f8d7e3fe9..0f6a4f569 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index e96dfe574..c4ac99166 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat index 009936466..2540eb106 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat @@ -1,12 +1,17 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES -dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES +dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index 0550a09b4..2fd776e25 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,7 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes192-sha384-ecp256,aes192-sha384-ecp384! + ike=aes128-sha256-ecp256,aes192-sha384-ecp384! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index b9da84efb..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf old mode 100755 new mode 100644 index 22026fc36..8d8989ed7 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,7 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes256-sha512-ecp256,aes256-sha512-ecp521! + ike=aes128-sha256-ecp256,aes256-sha512-ecp521! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index 01fd353c1..785772254 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index ffe13d259..addcc6175 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index b9da84efb..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat index e2073d9be..f82159e7c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat @@ -1,12 +1,17 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES -dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES +dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index 6a15b3f54..b754c29ba --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,7 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-ecp192,aes128-sha256-ecp224! + ike=aes192-sha384-ecp192,3des-sha256-ecp224! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index b9da84efb..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf old mode 100755 new mode 100644 index b4bdf456f..b5e9215c5 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,7 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-ecp192,aes128-sha256-ecp256! + ike=aes192-sha384-ecp192,aes128-sha256-ecp256! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index 01fd353c1..785772254 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index 64ec0f12c..2e4a15ec3 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,7 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-ecp224,aes128-sha256-ecp256! + ike=3des-sha256-ecp224,aes128-sha256-ecp256! conn rw left=PH_IP_MOON diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index b9da84efb..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown -} - -libstrongswan { - ecp_x_coordinate_only = no + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat index 1c23dcad6..cc904c8bc 100644 --- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat @@ -1,6 +1,6 @@ moon::cat /var/log/daemon.log::sending end entity cert::YES moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES -sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES -sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES -sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES +sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES +sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index 2e3c9dde4..3b065774f --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf index f4ab41f2c..628476313 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf old mode 100755 new mode 100644 index 19e197131..2b4406d75 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf index c45805ca6..444a41dbc 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat index 868da5776..5918faa8c 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat @@ -1,12 +1,17 @@ -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index c75d6b2a1..dd2ceea60 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf index bdbdad2e5..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf old mode 100755 new mode 100644 index 080ce9bce..4c6e11f16 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index bdbdad2e5..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index c932101d2..e67d9af9b --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf index bdbdad2e5..0bbf93a18 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat index 868da5776..52913759f 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat @@ -1,12 +1,13 @@ -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index c75d6b2a1..dd2ceea60 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf index 35c522d0e..440bdaa4b 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf old mode 100755 new mode 100644 index 080ce9bce..4c6e11f16 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf index 35c522d0e..440bdaa4b 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index c932101d2..e67d9af9b --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf index 35c522d0e..440bdaa4b 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat index 06a0f8cda..f8cfb111b 100644 --- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat @@ -1,8 +1,13 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index 4a8baa3ae..213cd70fa --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 2b862e1b3..5f71075dc 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 openssl revocation random nonce hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf old mode 100755 new mode 100644 index 42f03aab3..653316fde --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 4e74127fe..5708510ef 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index 2e84f2e6a..16299b339 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 48b7d16f2..3d9d7306f 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 openssl revocation random nonce hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat index 41ebec307..e476da03f 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat @@ -1,10 +1,10 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf old mode 100755 new mode 100644 index 02ece4738..2d061c6c2 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default @@ -20,6 +19,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index ed9b8c764..6072bb335 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown + load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf old mode 100755 new mode 100644 index 2679d4f9b..28a5cad31 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no charondebug="tls 2" conn %default diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 46d8e2933..5660f4376 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown + load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } -- cgit v1.2.3