From 5313d2d78ca150515f7f5eb39801c100690b6b29 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Fri, 1 Nov 2013 13:32:07 +0100 Subject: Imported Upstream version 5.1.1 --- .../alg-ecp-brainpool-high/description.txt | 17 +++++++++++++++++ .../alg-ecp-brainpool-high/evaltest.dat | 19 +++++++++++++++++++ .../hosts/carol/etc/ipsec.conf | 21 +++++++++++++++++++++ .../hosts/carol/etc/strongswan.conf | 5 +++++ .../hosts/dave/etc/ipsec.conf | 21 +++++++++++++++++++++ .../hosts/dave/etc/strongswan.conf | 5 +++++ .../hosts/moon/etc/ipsec.conf | 20 ++++++++++++++++++++ .../hosts/moon/etc/strongswan.conf | 5 +++++ .../alg-ecp-brainpool-high/posttest.dat | 6 ++++++ .../alg-ecp-brainpool-high/pretest.dat | 9 +++++++++ .../openssl-ikev2/alg-ecp-brainpool-high/test.conf | 21 +++++++++++++++++++++ .../alg-ecp-brainpool-low/description.txt | 17 +++++++++++++++++ .../alg-ecp-brainpool-low/evaltest.dat | 19 +++++++++++++++++++ .../hosts/carol/etc/ipsec.conf | 21 +++++++++++++++++++++ .../hosts/carol/etc/strongswan.conf | 5 +++++ .../alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf | 21 +++++++++++++++++++++ .../hosts/dave/etc/strongswan.conf | 5 +++++ .../alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf | 20 ++++++++++++++++++++ .../hosts/moon/etc/strongswan.conf | 5 +++++ .../alg-ecp-brainpool-low/posttest.dat | 6 ++++++ .../openssl-ikev2/alg-ecp-brainpool-low/pretest.dat | 9 +++++++++ .../openssl-ikev2/alg-ecp-brainpool-low/test.conf | 21 +++++++++++++++++++++ .../openssl-ikev2/rw-suite-b-128/description.txt | 2 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 11 ++++++----- .../rw-suite-b-128/hosts/carol/etc/ipsec.secrets | 2 +- .../openssl-ikev2/rw-suite-b-192/description.txt | 2 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 14 ++++++++------ .../rw-suite-b-192/hosts/carol/etc/ipsec.secrets | 2 +- 28 files changed, 316 insertions(+), 15 deletions(-) create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat create mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf (limited to 'testing/tests/openssl-ikev2') diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt new file mode 100644 index 000000000..d0ae5a823 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt @@ -0,0 +1,17 @@ +The roadwarrior carol and the gateway moon use the openssl +plugin based on the OpenSSL library for all cryptographical and X.509 +certificate functions whereas roadwarrior dave uses the default strongSwan +cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +plugin for the Elliptic Curve Diffie-Hellman groups only. +

+The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +carol proposes the Brainpool DH groups ECP_256_BP and ECP_384_BP whereas +dave proposes ECP_256_BP and ECP_512_B P. Since moon does not support +ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively. +

+Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat new file mode 100644 index 000000000..b7606a48d --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat @@ -0,0 +1,19 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES +dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..bfca8965f --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..2b16165dc --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..785772254 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..8c02c9fea --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat new file mode 100644 index 000000000..8bbea1412 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt new file mode 100644 index 000000000..78eb0ffb3 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt @@ -0,0 +1,17 @@ +The roadwarrior carol and the gateway moon use the openssl +plugin based on the OpenSSL library for all cryptographical and X.509 +certificate functions whereas roadwarrior dave uses the default strongSwan +cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +plugin for the Elliptic Curve Diffie-Hellman groups only. +

+The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +carol proposes the Brainpool DH groups ECP_384_BP and ECP_224_BP whereas +dave proposes ECP_192_BP and ECP_256_BP. Since moon does not support +ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively. +

+Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat new file mode 100644 index 000000000..5fb2073dd --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat @@ -0,0 +1,19 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES +dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..be85b6c1e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..1adedc048 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..785772254 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..b4cd86c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat new file mode 100644 index 000000000..8bbea1412 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt index c1a3da88e..26e42c4b7 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt @@ -3,7 +3,7 @@ but because carol has set the strongswan.conf option initiator_only = she ignores the repeated IKE requests sent by dave.

After the failed connection attempt by dave, roadwarrior carol sets up a -connection to gateway moon. The authentication is based on Suite B with 128 bit +connection to gateway moon. The authentication is based on Suite B with 128 bit security based on X.509 ECDSA certificates, ECP Diffie-Hellman groups and AES-GCM authenticated encryption.

diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem index d29ddb9ee..522a29607 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,5 +1,6 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49 -AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B -rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw== ------END EC PRIVATE KEY----- +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIGxMBwGCiqGSIb3DQEMAQMwDgQIMZeZ6WcLRQICAggABIGQVdFY4uNX+wTljx5B +maey2lQKGzR1uWujrlgrnV5XUllz5riVLBQ62guQv2TWkQmwaiT503Fki+Hc+VfJ +9CYAg9UjPuT/2H0e5wq0ZnWNJkpWY2LRpMeCkS4Tdww8PBINAoDraeLxtYLm2xsX +mQ7raVahMTmSIO0YTkT7DJmevJAh2zYP7B613tY0PSKxcIdI +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets index 3d6725162..4e53ef91a 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: ECDSA carolKey.pem +: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt index 24bb2b3df..b8cb4fb8b 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt @@ -3,7 +3,7 @@ but because carol has set the strongswan.conf option initiator_only = she ignores the repeated IKE requests sent by dave.

After the failed connection attempt by dave, roadwarrior carol sets up a -connection to gateway moon. The authentication is based on Suite B with 192 bit +connection to gateway moon. The authentication is based on Suite B with 192 bit security based on X.509 ECDSA certificates, ECP Diffie-Hellman groups and AES-GCM authenticated encryption.

diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem index b94625718..52e044d5e 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,6 +1,8 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDCkhn8iMx3xfYLzonabc5FVG700UU6WKdke251F8ncgj1sGd5HZCV+N -6pHODLMII96gBwYFK4EEACKhZANiAARGIOWH9s4UOrptJF0OraK85w1zFZIaU7l3 -LnIFG8CFNaU0lzL3ePGEMjMXmbE+maA1el2ZIFEpubfJ2TDwttYj7n+WN7TpiXqc -4sE7plvsaodcU74GomtTHNt0dfDFaq0= ------END EC PRIVATE KEY----- +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIBJ620rnDFmACAggA +MBQGCCqGSIb3DQMHBAh/kkTRYRcX+wSBwIWR0utZGuNjA73xHtLlpgEG+Bt3WfVk +f/C5nSAIov9F3x1BdJ6il25cdcZBsq8/I15kWU9M5CyAnoHFNLcyAHcRK6NONqlr +lFCrU0P5OBDbo6YbCVQKAufCCH1WIGdJvMKL5gaV4mytTrc0g8aYr+66lMKlMJb8 +43pzNGdEwLFfyrpKIFjysCIj30btCVzJWFDeBptmF9Vw0ST+x7x6FWjh2SRgnU10 +/0cs85hh6etFtXlUhzSw7P3abL/8zmWIHw== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets index 3d6725162..4e53ef91a 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: ECDSA carolKey.pem +: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" -- cgit v1.2.3