From 81c63b0eed39432878f78727f60a1e7499645199 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Fri, 11 Jul 2014 07:23:31 +0200 Subject: Imported Upstream version 5.2.0 --- .../hosts/moon/etc/ipsec.d/aacerts/aa.pem | 19 ++ .../etc/ipsec.d/acerts/carol-sales-finance.pem | 18 ++ .../moon/etc/ipsec.d/acerts/dave-marketing.pem | 18 ++ .../moon/etc/ipsec.d/acerts/dave-sales-expired.pem | 18 ++ .../hosts/moon/etc/ipsec.d/private/aa.pem | 27 +++ .../etc/ipsec.d/acerts/carol-finance-expired.pem | 18 ++ .../hosts/carol/etc/ipsec.d/acerts/carol-sales.pem | 18 ++ .../hosts/moon/etc/ipsec.d/aacerts/aa.pem | 19 ++ .../hosts/moon/etc/ipsec.d/private/aa.pem | 27 +++ .../hosts/carol/etc/ipsec.d/acerts/carol-sales.pem | 18 ++ .../dave/etc/ipsec.d/acerts/dave-expired-aa.pem | 18 ++ .../dave/etc/ipsec.d/acerts/dave-marketing.pem | 18 ++ .../hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem | 19 ++ .../hosts/moon/etc/ipsec.d/aacerts/aa.pem | 19 ++ .../hosts/moon/etc/ipsec.d/private/aa-expired.pem | 27 +++ .../hosts/moon/etc/ipsec.d/private/aa.pem | 27 +++ .../ikev2/shunt-policies-nat-rw/description.txt | 7 + .../tests/ikev2/shunt-policies-nat-rw/evaltest.dat | 12 ++ .../hosts/alice/etc/ipsec.conf | 27 +++ .../hosts/alice/etc/strongswan.conf | 7 + .../shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf | 20 ++ .../hosts/sun/etc/iptables.rules | 24 +++ .../hosts/sun/etc/strongswan.conf | 5 + .../hosts/venus/etc/ipsec.conf | 27 +++ .../hosts/venus/etc/strongswan.conf | 7 + .../tests/ikev2/shunt-policies-nat-rw/posttest.dat | 5 + .../tests/ikev2/shunt-policies-nat-rw/pretest.dat | 11 + .../tests/ikev2/shunt-policies-nat-rw/test.conf | 21 ++ testing/tests/ikev2/shunt-policies/description.txt | 11 - testing/tests/ikev2/shunt-policies/evaltest.dat | 16 -- .../ikev2/shunt-policies/hosts/moon/etc/ipsec.conf | 40 ---- .../shunt-policies/hosts/moon/etc/iptables.rules | 32 --- .../shunt-policies/hosts/moon/etc/strongswan.conf | 7 - .../ikev2/shunt-policies/hosts/sun/etc/ipsec.conf | 22 -- .../shunt-policies/hosts/sun/etc/strongswan.conf | 6 - testing/tests/ikev2/shunt-policies/posttest.dat | 5 - testing/tests/ikev2/shunt-policies/pretest.dat | 6 - testing/tests/ikev2/shunt-policies/test.conf | 21 -- .../carol/etc/ipsec.d/certs/carolCert-002.pem | 34 +-- .../carol/etc/ipsec.d/private/carolKey-002.pem | 50 ++--- .../hosts/moon/etc/ipsec.d/certs/moonCert.asc | 15 ++ .../hosts/moon/etc/ipsec.d/certs/sunCert.asc | 15 ++ .../hosts/moon/etc/ipsec.d/private/moonKey.asc | 19 ++ .../hosts/sun/etc/ipsec.d/certs/moonCert.asc | 15 ++ .../hosts/sun/etc/ipsec.d/certs/sunCert.asc | 15 ++ .../hosts/sun/etc/ipsec.d/private/sunKey.asc | 19 ++ testing/tests/pfkey/compress/description.txt | 4 + testing/tests/pfkey/compress/evaltest.dat | 12 ++ .../pfkey/compress/hosts/carol/etc/ipsec.conf | 21 ++ .../pfkey/compress/hosts/carol/etc/strongswan.conf | 5 + .../tests/pfkey/compress/hosts/moon/etc/ipsec.conf | 21 ++ .../pfkey/compress/hosts/moon/etc/strongswan.conf | 5 + testing/tests/pfkey/compress/posttest.dat | 4 + testing/tests/pfkey/compress/pretest.dat | 6 + testing/tests/pfkey/compress/test.conf | 22 ++ .../pfkey/shunt-policies-nat-rw/description.txt | 7 + .../tests/pfkey/shunt-policies-nat-rw/evaltest.dat | 12 ++ .../hosts/alice/etc/ipsec.conf | 27 +++ .../hosts/alice/etc/strongswan.conf | 7 + .../shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf | 20 ++ .../hosts/sun/etc/iptables.rules | 24 +++ .../hosts/sun/etc/strongswan.conf | 5 + .../hosts/venus/etc/ipsec.conf | 27 +++ .../hosts/venus/etc/strongswan.conf | 7 + .../tests/pfkey/shunt-policies-nat-rw/posttest.dat | 5 + .../tests/pfkey/shunt-policies-nat-rw/pretest.dat | 11 + .../tests/pfkey/shunt-policies-nat-rw/test.conf | 21 ++ testing/tests/pfkey/shunt-policies/description.txt | 11 - testing/tests/pfkey/shunt-policies/evaltest.dat | 20 -- .../pfkey/shunt-policies/hosts/moon/etc/ipsec.conf | 40 ---- .../shunt-policies/hosts/moon/etc/iptables.rules | 32 --- .../shunt-policies/hosts/moon/etc/strongswan.conf | 7 - .../pfkey/shunt-policies/hosts/sun/etc/ipsec.conf | 22 -- .../shunt-policies/hosts/sun/etc/strongswan.conf | 6 - testing/tests/pfkey/shunt-policies/posttest.dat | 5 - testing/tests/pfkey/shunt-policies/pretest.dat | 6 - testing/tests/pfkey/shunt-policies/test.conf | 21 -- .../sql/shunt-policies-nat-rw/description.txt | 7 + .../tests/sql/shunt-policies-nat-rw/evaltest.dat | 12 ++ .../hosts/alice/etc/ipsec.conf | 3 + .../hosts/alice/etc/ipsec.d/data.sql | 199 ++++++++++++++++++ .../hosts/alice/etc/ipsec.secrets | 3 + .../hosts/alice/etc/strongswan.conf | 12 ++ .../shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf | 3 + .../hosts/sun/etc/ipsec.d/data.sql | 195 ++++++++++++++++++ .../hosts/sun/etc/ipsec.secrets | 3 + .../hosts/sun/etc/iptables.rules | 24 +++ .../hosts/sun/etc/strongswan.conf | 13 ++ .../hosts/venus/etc/ipsec.conf | 3 + .../hosts/venus/etc/ipsec.d/data.sql | 199 ++++++++++++++++++ .../hosts/venus/etc/ipsec.secrets | 3 + .../hosts/venus/etc/strongswan.conf | 12 ++ .../tests/sql/shunt-policies-nat-rw/posttest.dat | 8 + .../tests/sql/shunt-policies-nat-rw/pretest.dat | 20 ++ testing/tests/sql/shunt-policies-nat-rw/test.conf | 21 ++ testing/tests/sql/shunt-policies/description.txt | 11 - testing/tests/sql/shunt-policies/evaltest.dat | 20 -- .../sql/shunt-policies/hosts/moon/etc/ipsec.conf | 5 - .../shunt-policies/hosts/moon/etc/ipsec.d/data.sql | 227 --------------------- .../shunt-policies/hosts/moon/etc/ipsec.secrets | 3 - .../shunt-policies/hosts/moon/etc/iptables.rules | 32 --- .../shunt-policies/hosts/moon/etc/strongswan.conf | 11 - .../sql/shunt-policies/hosts/sun/etc/ipsec.conf | 5 - .../shunt-policies/hosts/sun/etc/ipsec.d/data.sql | 152 -------------- .../sql/shunt-policies/hosts/sun/etc/ipsec.secrets | 3 - .../shunt-policies/hosts/sun/etc/strongswan.conf | 10 - testing/tests/sql/shunt-policies/posttest.dat | 6 - testing/tests/sql/shunt-policies/pretest.dat | 12 -- testing/tests/sql/shunt-policies/test.conf | 21 -- testing/tests/swanctl/ip-pool-db/description.txt | 10 + testing/tests/swanctl/ip-pool-db/evaltest.dat | 23 +++ .../ip-pool-db/hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/swanctl/swanctl.conf | 33 +++ .../ip-pool-db/hosts/dave/etc/strongswan.conf | 11 + .../ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf | 33 +++ .../ip-pool-db/hosts/moon/etc/strongswan.conf | 21 ++ .../ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf | 31 +++ testing/tests/swanctl/ip-pool-db/posttest.dat | 11 + testing/tests/swanctl/ip-pool-db/pretest.dat | 21 ++ testing/tests/swanctl/ip-pool-db/test.conf | 21 ++ testing/tests/swanctl/ip-pool/description.txt | 10 + testing/tests/swanctl/ip-pool/evaltest.dat | 15 ++ .../ip-pool/hosts/carol/etc/strongswan.conf | 13 ++ .../ip-pool/hosts/carol/etc/swanctl/swanctl.conf | 33 +++ .../swanctl/ip-pool/hosts/dave/etc/strongswan.conf | 13 ++ .../ip-pool/hosts/dave/etc/swanctl/swanctl.conf | 33 +++ .../swanctl/ip-pool/hosts/moon/etc/strongswan.conf | 13 ++ .../ip-pool/hosts/moon/etc/swanctl/swanctl.conf | 37 ++++ testing/tests/swanctl/ip-pool/posttest.dat | 8 + testing/tests/swanctl/ip-pool/pretest.dat | 15 ++ testing/tests/swanctl/ip-pool/test.conf | 21 ++ testing/tests/swanctl/net2net-cert/description.txt | 6 + testing/tests/swanctl/net2net-cert/evaltest.dat | 5 + .../net2net-cert/hosts/moon/etc/strongswan.conf | 13 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 34 +++ .../net2net-cert/hosts/sun/etc/strongswan.conf | 13 ++ .../hosts/sun/etc/swanctl/swanctl.conf | 34 +++ testing/tests/swanctl/net2net-cert/posttest.dat | 5 + testing/tests/swanctl/net2net-cert/pretest.dat | 9 + testing/tests/swanctl/net2net-cert/test.conf | 21 ++ .../tests/swanctl/net2net-route/description.txt | 9 + testing/tests/swanctl/net2net-route/evaltest.dat | 7 + .../net2net-route/hosts/moon/etc/strongswan.conf | 13 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 34 +++ .../net2net-route/hosts/sun/etc/strongswan.conf | 13 ++ .../hosts/sun/etc/swanctl/swanctl.conf | 34 +++ testing/tests/swanctl/net2net-route/posttest.dat | 5 + testing/tests/swanctl/net2net-route/pretest.dat | 9 + testing/tests/swanctl/net2net-route/test.conf | 21 ++ .../tests/swanctl/net2net-start/description.txt | 6 + testing/tests/swanctl/net2net-start/evaltest.dat | 5 + .../net2net-start/hosts/moon/etc/strongswan.conf | 13 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 34 +++ .../net2net-start/hosts/sun/etc/strongswan.conf | 13 ++ .../hosts/sun/etc/swanctl/swanctl.conf | 34 +++ testing/tests/swanctl/net2net-start/posttest.dat | 5 + testing/tests/swanctl/net2net-start/pretest.dat | 9 + testing/tests/swanctl/net2net-start/test.conf | 21 ++ testing/tests/swanctl/rw-cert/description.txt | 6 + testing/tests/swanctl/rw-cert/evaltest.dat | 10 + .../rw-cert/hosts/carol/etc/strongswan.conf | 13 ++ .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 32 +++ .../swanctl/rw-cert/hosts/dave/etc/strongswan.conf | 13 ++ .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 32 +++ .../swanctl/rw-cert/hosts/moon/etc/strongswan.conf | 13 ++ .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 30 +++ testing/tests/swanctl/rw-cert/posttest.dat | 8 + testing/tests/swanctl/rw-cert/pretest.dat | 14 ++ testing/tests/swanctl/rw-cert/test.conf | 21 ++ testing/tests/swanctl/rw-psk-fqdn/description.txt | 6 + testing/tests/swanctl/rw-psk-fqdn/evaltest.dat | 10 + .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf | 13 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 41 ++++ .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf | 13 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 39 ++++ .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf | 13 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 41 ++++ testing/tests/swanctl/rw-psk-fqdn/posttest.dat | 8 + testing/tests/swanctl/rw-psk-fqdn/pretest.dat | 17 ++ testing/tests/swanctl/rw-psk-fqdn/test.conf | 21 ++ testing/tests/swanctl/rw-psk-ipv4/description.txt | 6 + testing/tests/swanctl/rw-psk-ipv4/evaltest.dat | 10 + .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 13 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 40 ++++ .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 13 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 39 ++++ .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 13 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 40 ++++ testing/tests/swanctl/rw-psk-ipv4/posttest.dat | 8 + testing/tests/swanctl/rw-psk-ipv4/pretest.dat | 17 ++ testing/tests/swanctl/rw-psk-ipv4/test.conf | 21 ++ .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf | 7 + .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf | 7 + .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/carol/etc/strongswan.conf | 7 + .../hosts/dave/etc/strongswan.conf | 7 + .../hosts/alice/etc/pts/data1.sql | 2 +- .../hosts/carol/etc/strongswan.conf | 7 + .../hosts/dave/etc/strongswan.conf | 7 + .../hosts/carol/etc/strongswan.conf | 7 + .../tnccs-11-radius/hosts/dave/etc/strongswan.conf | 7 + .../tnc/tnccs-11/hosts/carol/etc/strongswan.conf | 7 + .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf | 7 + .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf | 8 +- .../tnccs-20-block/hosts/carol/etc/strongswan.conf | 7 +- .../tnccs-20-block/hosts/dave/etc/strongswan.conf | 5 +- .../tnccs-20-block/hosts/moon/etc/strongswan.conf | 7 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/dave/etc/strongswan.conf | 7 +- .../hosts/moon/etc/strongswan.conf | 7 +- .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf | 8 +- .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf | 8 +- .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/tnc/tnccs-20-os-pts/description.txt | 22 ++ testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 20 ++ .../tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf | 23 +++ .../tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 15 ++ .../tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config | 4 + .../tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf | 23 +++ .../tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets | 3 + .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 21 ++ .../tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config | 4 + .../tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf | 34 +++ .../tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets | 6 + .../tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql | 29 +++ .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 31 +++ .../tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config | 4 + testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 8 + testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 18 ++ testing/tests/tnc/tnccs-20-os-pts/test.conf | 26 +++ testing/tests/tnc/tnccs-20-os/description.txt | 13 +- testing/tests/tnc/tnccs-20-os/evaltest.dat | 4 +- .../tnccs-20-os/hosts/carol/etc/strongswan.conf | 8 +- .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf | 7 +- .../tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql | 4 +- .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/tnc/tnccs-20-os/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-pdp-eap/description.txt | 12 ++ testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 29 +++ .../alice/etc/apache2/sites-available/default | 26 +++ .../tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf | 9 + .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 +++ .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 +++ .../tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets | 6 + .../tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql | 61 ++++++ .../hosts/alice/etc/strongTNC/settings.ini | 19 ++ .../hosts/alice/etc/strongswan.conf | 35 ++++ .../tnccs-20-pdp-eap/hosts/alice/etc/tnc_config | 4 + .../tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf | 23 +++ .../tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 18 ++ .../tnccs-20-pdp-eap/hosts/carol/etc/tnc_config | 4 + .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf | 23 +++ .../tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 30 +++ .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config | 4 + .../tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf | 33 +++ .../tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets | 3 + .../tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules | 32 +++ .../hosts/moon/etc/strongswan.conf | 14 ++ testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 9 + testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 21 ++ testing/tests/tnc/tnccs-20-pdp-eap/test.conf | 26 +++ .../tests/tnc/tnccs-20-pdp-pt-tls/description.txt | 9 + testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat | 19 ++ .../alice/etc/apache2/sites-available/default | 26 +++ .../tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf | 9 + .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 +++ .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 +++ .../hosts/alice/etc/ipsec.secrets | 6 + .../hosts/alice/etc/iptables.rules | 24 +++ .../hosts/alice/etc/pts/data1.sql | 61 ++++++ .../hosts/alice/etc/strongTNC/settings.ini | 19 ++ .../hosts/alice/etc/strongswan.conf | 29 +++ .../tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config | 4 + .../tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf | 3 + .../hosts/carol/etc/ipsec.secrets | 3 + .../tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql | 4 + .../hosts/carol/etc/iptables.rules | 20 ++ .../hosts/carol/etc/pts/options | 6 + .../hosts/carol/etc/strongswan.conf | 9 + .../tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config | 4 + .../tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf | 3 + .../hosts/dave/etc/ipsec.secrets | 3 + .../tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql | 4 + .../hosts/dave/etc/iptables.rules | 20 ++ .../tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options | 7 + .../hosts/dave/etc/strongswan.conf | 21 ++ .../tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config | 4 + testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 9 + testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 23 +++ testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 26 +++ testing/tests/tnc/tnccs-20-pdp/description.txt | 12 -- testing/tests/tnc/tnccs-20-pdp/evaltest.dat | 22 -- .../tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf | 9 - .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 --- .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 --- .../tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets | 6 - .../tnccs-20-pdp/hosts/alice/etc/strongswan.conf | 30 --- .../tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config | 4 - .../tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets | 3 - .../tnccs-20-pdp/hosts/carol/etc/strongswan.conf | 18 -- .../tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config | 4 - .../tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-20-pdp/hosts/dave/etc/strongswan.conf | 21 -- .../tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config | 4 - .../tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf | 33 --- .../tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets | 3 - .../tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules | 32 --- .../tnccs-20-pdp/hosts/moon/etc/strongswan.conf | 14 -- testing/tests/tnc/tnccs-20-pdp/posttest.dat | 7 - testing/tests/tnc/tnccs-20-pdp/pretest.dat | 14 -- testing/tests/tnc/tnccs-20-pdp/test.conf | 26 --- testing/tests/tnc/tnccs-20-pt-tls/description.txt | 9 - testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat | 12 -- .../tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf | 9 - .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 --- .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 --- .../tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets | 6 - .../tnccs-20-pt-tls/hosts/alice/etc/iptables.rules | 20 -- .../tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql | 61 ------ .../hosts/alice/etc/strongswan.conf | 28 --- .../tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config | 4 - .../tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf | 3 - .../tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets | 3 - .../tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql | 4 - .../tnccs-20-pt-tls/hosts/carol/etc/iptables.rules | 20 -- .../tnccs-20-pt-tls/hosts/carol/etc/pts/options | 5 - .../hosts/carol/etc/strongswan.conf | 25 --- .../tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config | 4 - .../tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf | 3 - .../tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets | 3 - .../tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql | 4 - .../tnccs-20-pt-tls/hosts/dave/etc/iptables.rules | 20 -- .../tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options | 6 - .../tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf | 22 -- .../tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config | 4 - testing/tests/tnc/tnccs-20-pt-tls/posttest.dat | 8 - testing/tests/tnc/tnccs-20-pt-tls/pretest.dat | 19 -- testing/tests/tnc/tnccs-20-pt-tls/test.conf | 26 --- .../tests/tnc/tnccs-20-pts-no-ecc/description.txt | 15 +- testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/dave/etc/strongswan.conf | 7 +- .../hosts/moon/etc/pts/data1.sql | 2 +- .../hosts/moon/etc/strongswan.conf | 7 +- testing/tests/tnc/tnccs-20-pts/description.txt | 13 +- testing/tests/tnc/tnccs-20-pts/evaltest.dat | 16 +- .../tnccs-20-pts/hosts/carol/etc/strongswan.conf | 8 +- .../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 6 +- .../tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql | 2 +- .../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 7 +- .../tnc/tnccs-20-pts/hosts/moon/etc/tnc_config | 1 - .../tnc/tnccs-20-server-retry/description.txt | 9 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/dave/etc/strongswan.conf | 7 +- .../hosts/moon/etc/strongswan.conf | 7 +- testing/tests/tnc/tnccs-20-tls/description.txt | 9 +- .../tnccs-20-tls/hosts/carol/etc/strongswan.conf | 8 +- .../tnccs-20-tls/hosts/dave/etc/strongswan.conf | 8 +- .../tnccs-20-tls/hosts/moon/etc/strongswan.conf | 17 +- .../tnc/tnccs-20/hosts/carol/etc/strongswan.conf | 8 +- .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf | 7 +- .../tnc/tnccs-20/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/tnc/tnccs-dynamic/description.txt | 1 + .../tnccs-dynamic/hosts/carol/etc/strongswan.conf | 5 + .../tnccs-dynamic/hosts/dave/etc/strongswan.conf | 5 + .../tnccs-dynamic/hosts/moon/etc/strongswan.conf | 1 + 371 files changed, 4585 insertions(+), 1824 deletions(-) create mode 100644 testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem create mode 100644 testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem create mode 100644 testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem create mode 100644 testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem create mode 100644 testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem create mode 100644 testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem create mode 100644 testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem create mode 100644 testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem create mode 100644 testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem create mode 100644 testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem create mode 100644 testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem create mode 100644 testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem create mode 100644 testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem create mode 100644 testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem create mode 100644 testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem create mode 100644 testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/description.txt create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat create mode 100644 testing/tests/ikev2/shunt-policies-nat-rw/test.conf delete mode 100644 testing/tests/ikev2/shunt-policies/description.txt delete mode 100644 testing/tests/ikev2/shunt-policies/evaltest.dat delete mode 100644 testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/shunt-policies/posttest.dat delete mode 100644 testing/tests/ikev2/shunt-policies/pretest.dat delete mode 100644 testing/tests/ikev2/shunt-policies/test.conf create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc create mode 100644 testing/tests/pfkey/compress/description.txt create mode 100644 testing/tests/pfkey/compress/evaltest.dat create mode 100644 testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/pfkey/compress/posttest.dat create mode 100644 testing/tests/pfkey/compress/pretest.dat create mode 100644 testing/tests/pfkey/compress/test.conf create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/description.txt create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat create mode 100644 testing/tests/pfkey/shunt-policies-nat-rw/test.conf delete mode 100644 testing/tests/pfkey/shunt-policies/description.txt delete mode 100644 testing/tests/pfkey/shunt-policies/evaltest.dat delete mode 100644 testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/pfkey/shunt-policies/posttest.dat delete mode 100644 testing/tests/pfkey/shunt-policies/pretest.dat delete mode 100644 testing/tests/pfkey/shunt-policies/test.conf create mode 100644 testing/tests/sql/shunt-policies-nat-rw/description.txt create mode 100644 testing/tests/sql/shunt-policies-nat-rw/evaltest.dat create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/sql/shunt-policies-nat-rw/posttest.dat create mode 100644 testing/tests/sql/shunt-policies-nat-rw/pretest.dat create mode 100644 testing/tests/sql/shunt-policies-nat-rw/test.conf delete mode 100644 testing/tests/sql/shunt-policies/description.txt delete mode 100644 testing/tests/sql/shunt-policies/evaltest.dat delete mode 100644 testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql delete mode 100644 testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql delete mode 100644 testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets delete mode 100644 testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/sql/shunt-policies/posttest.dat delete mode 100644 testing/tests/sql/shunt-policies/pretest.dat delete mode 100644 testing/tests/sql/shunt-policies/test.conf create mode 100755 testing/tests/swanctl/ip-pool-db/description.txt create mode 100755 testing/tests/swanctl/ip-pool-db/evaltest.dat create mode 100755 testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-pool-db/posttest.dat create mode 100755 testing/tests/swanctl/ip-pool-db/pretest.dat create mode 100755 testing/tests/swanctl/ip-pool-db/test.conf create mode 100755 testing/tests/swanctl/ip-pool/description.txt create mode 100755 testing/tests/swanctl/ip-pool/evaltest.dat create mode 100755 testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-pool/posttest.dat create mode 100755 testing/tests/swanctl/ip-pool/pretest.dat create mode 100755 testing/tests/swanctl/ip-pool/test.conf create mode 100755 testing/tests/swanctl/net2net-cert/description.txt create mode 100755 testing/tests/swanctl/net2net-cert/evaltest.dat create mode 100755 testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-cert/posttest.dat create mode 100755 testing/tests/swanctl/net2net-cert/pretest.dat create mode 100755 testing/tests/swanctl/net2net-cert/test.conf create mode 100755 testing/tests/swanctl/net2net-route/description.txt create mode 100755 testing/tests/swanctl/net2net-route/evaltest.dat create mode 100755 testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-route/posttest.dat create mode 100755 testing/tests/swanctl/net2net-route/pretest.dat create mode 100755 testing/tests/swanctl/net2net-route/test.conf create mode 100755 testing/tests/swanctl/net2net-start/description.txt create mode 100755 testing/tests/swanctl/net2net-start/evaltest.dat create mode 100755 testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-start/posttest.dat create mode 100755 testing/tests/swanctl/net2net-start/pretest.dat create mode 100755 testing/tests/swanctl/net2net-start/test.conf create mode 100755 testing/tests/swanctl/rw-cert/description.txt create mode 100755 testing/tests/swanctl/rw-cert/evaltest.dat create mode 100755 testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert/posttest.dat create mode 100755 testing/tests/swanctl/rw-cert/pretest.dat create mode 100755 testing/tests/swanctl/rw-cert/test.conf create mode 100755 testing/tests/swanctl/rw-psk-fqdn/description.txt create mode 100755 testing/tests/swanctl/rw-psk-fqdn/evaltest.dat create mode 100755 testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-fqdn/posttest.dat create mode 100755 testing/tests/swanctl/rw-psk-fqdn/pretest.dat create mode 100755 testing/tests/swanctl/rw-psk-fqdn/test.conf create mode 100755 testing/tests/swanctl/rw-psk-ipv4/description.txt create mode 100755 testing/tests/swanctl/rw-psk-ipv4/evaltest.dat create mode 100755 testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-ipv4/posttest.dat create mode 100755 testing/tests/swanctl/rw-psk-ipv4/pretest.dat create mode 100755 testing/tests/swanctl/rw-psk-ipv4/test.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/description.txt create mode 100644 testing/tests/tnc/tnccs-20-os-pts/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-os-pts/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-os-pts/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-os-pts/test.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/description.txt create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/test.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/description.txt delete mode 100644 testing/tests/tnc/tnccs-20-pdp/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pdp/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pdp/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/description.txt delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/test.conf (limited to 'testing/tests') diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem new file mode 100644 index 000000000..fbfa7ee8b --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/aacerts/aa.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD +Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH +hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP +dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L +lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/ +QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N +jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2 +bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM +ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik +gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02 +R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA +6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g +91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem new file mode 100644 index 000000000..406c15700 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/carol-sales-finance.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC+DCCAeACAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe +pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG +MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW +MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIIWCKrRUelL+kw +IhgPMjAxNDAyMDcwODU4MTJaGA8yMDIyMDQyNjA4NTgxMlowIjAgBggrBgEFBQcK +BDEUMBIwEAwFc2FsZXMMB2ZpbmFuY2UwfzByBgNVHSMEazBpCwHqxzoCXPi2xMHh +2q7CV/ZSsLChSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJv +bmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCCBVOfhWvHBdhMAkG +A1UdOAQCBQAwDQYJKoZIhvcNAQEFBQADggEBADNSv52dbBOp30L0kJse9HqWMBaR +SA5IDrF1FMLVZfI0Vb9XgEmk1SXAnMmPm7bfk+2w0Rd1jL7D905nel3LXuvohSR9 +wd4Vo8XX3WUlzNfjUEFFJb0nU2ybr7SmxF+K4wGnhvBAym2y/hNA0glp2hNjYTds +g+RUpM4bSqP5DpUfRBl19VHeEu/OymoACOzuHuNc1IndYM1mkSJYumX6YW60DpF/ +TaK1So3FyEWucHeoFCziNbclrjWwB8OS3JfCOl95rxu+0JhyWc+3x1E50W8DaAnY +ZRyYxDjYT9/E9xyzV45yo0xFODIgDgfKMsDjfUmfny3dTesdFUf3Ar3vTfA= +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem new file mode 100644 index 000000000..2f646c39d --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-marketing.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC9DCCAdwCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf +pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR +BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg +RjBEpEIwQDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x +FjAUBgNVBAMTDXN0cm9uZ1N3YW4gQUEwDQYJKoZIhvcNAQEFBQACCCPxWgWKmOUM +MCIYDzIwMTQwMjA3MDg1OTM3WhgPMjAyMjA0MjYwODU5MzdaMB0wGwYIKwYBBQUH +CgQxDzANMAsMCW1hcmtldGluZzB/MHIGA1UdIwRrMGkLAerHOgJc+LbEweHarsJX +9lKwsKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIIFU5+Fa8cF2EwCQYDVR04 +BAIFADANBgkqhkiG9w0BAQUFAAOCAQEAThlKhGVv34sfnCSQn6nYUdxMhboTuC98 ++DgvTQ/tH0hddCJNg00SpO8AbStwEsqHFaSqFzAGHcMk+XUrBRSGszAwg8nKAKfT +MCvJbK6lWQcPF0WPSSk9/r1TLan4I9xhneNIIGQf1fnNo7NrQnmhJjolUgXQNwFA +qZgKBsk0jWcOSvI0bpK90km5flCHn/OA1rDCdaPuMwreDhvNDoApORYFPZVsLhid +CXSqT+FWfm2NfegS+Q4VHP3YLbY4vLepCerU9aMTUIPit0kf1N8piG/l6AUno1XP +VrcTvruQUWQb08H9aYt7l7kyhzOKkuXjVbdn5egZnK0m4WKmV50guA== +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem new file mode 100644 index 000000000..d42038469 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/acerts/dave-sales-expired.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC8DCCAdgCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf +pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR +BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg +RjBEpEIwQDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x +FjAUBgNVBAMTDXN0cm9uZ1N3YW4gQUEwDQYJKoZIhvcNAQEFBQACCEuGbFvrRrtr +MCIYDzIwMTQwMjA3MDgwMTE3WhgPMjAxNDAyMDcwOTAxMTdaMBkwFwYIKwYBBQUH +CgQxCzAJMAcMBXNhbGVzMH8wcgYDVR0jBGswaQsB6sc6Alz4tsTB4dquwlf2UrCw +oUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEb +MBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBgggVTn4VrxwXYTAJBgNVHTgEAgUA +MA0GCSqGSIb3DQEBBQUAA4IBAQBYnOq716FJ079kXAt8vmi2GpEyyCqSBqqjr0lR +X9mGQqWKmpj88ZP61tCooCy8HaJsgKBvedKJHJ4e/YxR+fqBDkT4apFu4wX8P/xh +yKy6/RMAdTtkwVTE6flXdQryCQ/PGhSMuwwH/URFg65mixAatyyaoat4+mZ506u3 +F9ZZXkHPP4nZXAJqYjLLcNXPqC4lGoXXT+9dgsm6RLAdnBXT1GGff9tmqt9CcspW +XPjoqy9AxNr6FnItvMGw0CC6MPyVOJImlSxdhFW7waZkpNfmGzRdylXMwHXk8PbW +gjmlDUbyWquu8xBlpron3X/Jx3YNGVNrhgfZLlmhzCRouMqc +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem new file mode 100644 index 000000000..a4e001791 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.d/private/aa.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF +FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA +Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY +zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT +jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf ++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+ +eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz +d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn +DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB +01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot +mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK +vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM +lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH +mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i +xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf +3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo +vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/ +zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S +Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ +3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV +oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+ +XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N +GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV +2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3 +RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem new file mode 100644 index 000000000..3be000a3d --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-finance-expired.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC8TCCAdkCAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe +pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG +MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW +MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIISLuuiWM2O9Yw +IhgPMjAxNDAyMDcwODQyMDVaGA8yMDE0MDIwNzA5NDIwNVowGzAZBggrBgEFBQcK +BDENMAswCQwHZmluYW5jZTB/MHIGA1UdIwRrMGkLAerHOgJc+LbEweHarsJX9lKw +sKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x +GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIIFU5+Fa8cF2EwCQYDVR04BAIF +ADANBgkqhkiG9w0BAQUFAAOCAQEAaDwqM5BY9pXhlSlT3cpCJYsNCfk6T1nG5s5J +Dtgwojw0BVSoxKqcbpWdP09HOpBcwbPVk++I19wd5VsdHxtQ4/o2Hoevg4QWxUUx +t3qsdMDjg7U2iH+JppYsEDmXmx9k1hvV1OiEzHJKTDlZqXkhiItLatKSptTG3c0A +DdJVS05sdepzhkRGimE/QwO7nJ3v5ixFNIetgfbojbjhJPpNfXPIgMMHerK/hAlo +ekSwcmh9ufFuEXg8C0NunQqf6Z6FbxiUXUF9j7dvlEp3n5YFsv3WSMUjE3Sb7r8T +3e2A/LXb05ky0/SNebgS4fU9oi8acEgwN2Vqwu82hClwYAcHJg== +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem new file mode 100644 index 000000000..a188a1d3d --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC7zCCAdcCAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe +pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG +MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW +MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIIYO/yp98Yxu4w +IhgPMjAxNDAyMDcxMDAxNTdaGA8yMDIyMDQyNjEwMDE1N1owGTAXBggrBgEFBQcK +BDELMAkwBwwFc2FsZXMwfzByBgNVHSMEazBpCwHqxzoCXPi2xMHh2q7CV/ZSsLCh +SaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRsw +GQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCCBVOfhWvHBdhMAkGA1UdOAQCBQAw +DQYJKoZIhvcNAQEFBQADggEBAJA/duSysWae5X9JTC0BLY6gK8ggj5V9H3d60rM4 +7A8HVQldWe5QwYIRZmLS0XhMVHWiIvXJHwue2Xgs8DyAqILSCKIKpCJRhqPIxHCh +bek1nzw2YzVaU+E37He5V9PSkkRFO9tRvELhW3t4Wya7p4l6MVFW9ETOOtUqZYmt +bxAq/XEFZl/aFb2FW2RoKjUZpwxbrccCaV1hKIxtNen2ro31dNd9YHXe+fE4Fc7r +FTwbhOg3QLvZDXmiZt3LCXdMKAhayLbuSVsycuEtac44OVSvKhJ8GYykTRRn67nU +qCFNDe266KTNDqUMilrHm3FYGkpFtREOBajH4EqdMAJSdXg= +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem new file mode 100644 index 000000000..fbfa7ee8b --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aa.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD +Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH +hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP +dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L +lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/ +QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N +jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2 +bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM +ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik +gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02 +R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA +6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g +91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem new file mode 100644 index 000000000..a4e001791 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/private/aa.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF +FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA +Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY +zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT +jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf ++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+ +eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz +d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn +DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB +01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot +mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK +vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM +lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH +mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i +xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf +3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo +vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/ +zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S +Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ +3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV +oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+ +XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N +GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV +2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3 +RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem new file mode 100644 index 000000000..a188a1d3d --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.d/acerts/carol-sales.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC7zCCAdcCAQEwgbCgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHaFe +pFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZ6BG +MESkQjBAMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEW +MBQGA1UEAxMNc3Ryb25nU3dhbiBBQTANBgkqhkiG9w0BAQUFAAIIYO/yp98Yxu4w +IhgPMjAxNDAyMDcxMDAxNTdaGA8yMDIyMDQyNjEwMDE1N1owGTAXBggrBgEFBQcK +BDELMAkwBwwFc2FsZXMwfzByBgNVHSMEazBpCwHqxzoCXPi2xMHh2q7CV/ZSsLCh +SaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRsw +GQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCCBVOfhWvHBdhMAkGA1UdOAQCBQAw +DQYJKoZIhvcNAQEFBQADggEBAJA/duSysWae5X9JTC0BLY6gK8ggj5V9H3d60rM4 +7A8HVQldWe5QwYIRZmLS0XhMVHWiIvXJHwue2Xgs8DyAqILSCKIKpCJRhqPIxHCh +bek1nzw2YzVaU+E37He5V9PSkkRFO9tRvELhW3t4Wya7p4l6MVFW9ETOOtUqZYmt +bxAq/XEFZl/aFb2FW2RoKjUZpwxbrccCaV1hKIxtNen2ro31dNd9YHXe+fE4Fc7r +FTwbhOg3QLvZDXmiZt3LCXdMKAhayLbuSVsycuEtac44OVSvKhJ8GYykTRRn67nU +qCFNDe266KTNDqUMilrHm3FYGkpFtREOBajH4EqdMAJSdXg= +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem new file mode 100644 index 000000000..e612607aa --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-expired-aa.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC7TCCAdUCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf +pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR +BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg +QzBBpD8wPTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x +EzARBgNVBAMTCmV4cGlyZWQgQUEwDQYJKoZIhvcNAQEFBQACCG25qKzXgZ9HMCIY +DzIwMTQwMjA3MTAxMzQyWhgPMjAyMjA0MjYxMDEzNDJaMBkwFwYIKwYBBQUHCgQx +CzAJMAcMBXNhbGVzMH8wcgYDVR0jBGswabOoTOBJ6lXcG4NAowI32Y/oXa9/oUmk +RzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBgggqIkNljRd9CTAJBgNVHTgEAgUAMA0G +CSqGSIb3DQEBBQUAA4IBAQCfX/84tHCidlVbOU4is/1hZc+FpK4GG1jcywM9mtjB +QUeX28LYkewDdRpe49zJuTbvuIIABTp+4alf/oo7sKLk+o2/qq6CPfx8BSRL1a61 +Y1wVeGmXqcRQgtX+r3asMtLBoAFO8VaHt6pY52bg2YMNVRrUnCUVLqQjT+/Ujr4f +Lhs74VOxn7S94YbqvP5rytNFjdzBREipmb8j4mhIyfwUluoWFCkzxuwRaSEGhSMO +NobJuj/mK0PUU+TMYEcOMpQ/nVyb9rBtOvDoNU3BeD+ovuamErT9/9vWhEOwMD4C +OeR+ofespDX+AdCyZ1Dr1GMyUmIRK7GERdasIhx5pYMk +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem new file mode 100644 index 000000000..2f646c39d --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.d/acerts/dave-marketing.pem @@ -0,0 +1,18 @@ +-----BEGIN ATTRIBUTE CERTIFICATE----- +MIIC9DCCAdwCAQEwgbGgTjBJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQQIBHKFf +pF0wWzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzAR +BgNVBAsTCkFjY291bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmeg +RjBEpEIwQDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x +FjAUBgNVBAMTDXN0cm9uZ1N3YW4gQUEwDQYJKoZIhvcNAQEFBQACCCPxWgWKmOUM +MCIYDzIwMTQwMjA3MDg1OTM3WhgPMjAyMjA0MjYwODU5MzdaMB0wGwYIKwYBBQUH +CgQxDzANMAsMCW1hcmtldGluZzB/MHIGA1UdIwRrMGkLAerHOgJc+LbEweHarsJX +9lKwsKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIIFU5+Fa8cF2EwCQYDVR04 +BAIFADANBgkqhkiG9w0BAQUFAAOCAQEAThlKhGVv34sfnCSQn6nYUdxMhboTuC98 ++DgvTQ/tH0hddCJNg00SpO8AbStwEsqHFaSqFzAGHcMk+XUrBRSGszAwg8nKAKfT +MCvJbK6lWQcPF0WPSSk9/r1TLan4I9xhneNIIGQf1fnNo7NrQnmhJjolUgXQNwFA +qZgKBsk0jWcOSvI0bpK90km5flCHn/OA1rDCdaPuMwreDhvNDoApORYFPZVsLhid +CXSqT+FWfm2NfegS+Q4VHP3YLbY4vLepCerU9aMTUIPit0kf1N8piG/l6AUno1XP +VrcTvruQUWQb08H9aYt7l7kyhzOKkuXjVbdn5egZnK0m4WKmV50guA== +-----END ATTRIBUTE CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem new file mode 100644 index 000000000..20336fd79 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJzCCAg+gAwIBAgIIKiJDZY0XfQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDYwOTQ4NTJaFw0xNDAyMDcwOTQ4NTJaMD0x +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRMwEQYDVQQD +EwpleHBpcmVkIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0s5R +X2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhbETSHS+r/qipV4mI+/orS +zma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yxb0Ti6vDDbZOM8y3r7ak0 +Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZmjqrjoQlcrThIXju2bqN3 +SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr61rulNxEp+3Dsce5mv7JR +dX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc8Ofdu0kJNoPHGjrnSywl +kPh3z2pw6nOFpyFHoQIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2bbO1 +5eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAh9Sxryf5ip00ykCMStDYzQk27l4N +ncjU19RJqjrCuHupvWPJ+aYQFvssAnGGuK2rbw3rzVQba/Vn/o5d5wr1gxRtNQjv +z60jbqllmjF0TWvPf/CM/5LVAQJs2x5Mqtvy3pbNvetFHjZrzVDobdVJpqzaZGnh +oP0+HUMdE+fyLa0LfaRKYNv7r/vxvzsHZvgJawHK1b/2VWtrkIMyhAgHYViih06j +2bfVI/f5tk7/UljzLOCB22IFIn05wh4jyKq6az7B2Xu1Kk0/eA12eRqG134P8OYe +hAPcuj4QEDwV0ESw5cueD2I0MxbXuH2vBG5ziSBfw2Phj7f9iYurmMsZew== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem new file mode 100644 index 000000000..fbfa7ee8b --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/aacerts/aa.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKjCCAhKgAwIBAgIIFU5+Fa8cF2EwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTAeFw0xNDAyMDcwODUwMzVaFw0yMjA0MjYwODUwMzVaMEAx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRYwFAYDVQQD +Ew1zdHJvbmdTd2FuIEFBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +y6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTFFbSbpQJxWk603BJH +hlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsAQ3yWfkZZK1jxTdTP +dvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqYzdWFCUINTXUGEr/L +lt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNTjS2xaaklUCq2auR/ +QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf+7suyGczSRMP6+5N +jqNqab7l/SHwHQMVEE5ihwIDAQABoyMwITAfBgNVHSMEGDAWgBRdp91wBlEyfue2 +bbO15eBg6i5N7zANBgkqhkiG9w0BAQUFAAOCAQEAakPgMKVjkQmpI1VROcetvZzM +ZHMWwdu9IcwNpi/8qs2qNh6wCYv9c4V6O4zRCB1u8TuAIQiwLNZgjk+OKKLzvUik +gBRogn/apXsvAtfu9ODv5GuS6F38OYWDu/c3fiCZB2MKTtmEro2EkxxMw4DkfJ02 +R/xrhAnjeQlRQOChgQ3fHNmH9gVNaKXNq+JaoU2TfHFwuYMMe6q1L+vhOaBd58YA +6wPHOOLcIEaebHIqa4duAE5txJsZCEEySrr5stqo4j7929BAw+U6f+6Wb+UAEW6g +91PKAl5QVbAzgPFWoPkOTNdDOprT+B4eGx0EC2QTEtxxDv5589choF7BMRCzsQ== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem new file mode 100644 index 000000000..0e694c4f1 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa-expired.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA0s5RX2Y9KUSoNewtwOhQunET9VRGrVYS+xDewmIuAHZt4jhb +ETSHS+r/qipV4mI+/orSzma0+GVcDwbHRT3oDCrpG/DMpPznki+OzHT9e/HHk0yx +b0Ti6vDDbZOM8y3r7ak0Dcq6BgGwPxwIW2u1YHRTj4yxlr5wj9iKU1SQGCwZIQZm +jqrjoQlcrThIXju2bqN3SOjuaN6A2GAvcbb/IeQEm8HBqulmyBuGV7Gk9umG/nr6 +1rulNxEp+3Dsce5mv7JRdX5W8P6pv38A/f31Bh/EetEkv8qdnkH0aVAvd8Kb2yxc +8Ofdu0kJNoPHGjrnSywlkPh3z2pw6nOFpyFHoQIDAQABAoIBAQCRRwiDM2VhBGTc +THi3oiLIaldz0fGnUVNhXR33XkwPm45cwbPY5pd7NWeecPChRE3fg/KFtfhv2wKX +hHdd+6zofcYKsGeIKJa6gzXpJ5LtkRGWLNt3MEUl3mkAIhiYGoSmU96Axr5ul0lM +JNiJkG/+GgzgN/jHR1UxfOzPQs7PKIyzCE2N0v8dRxHWeyPCRxSavlhAoQKjWxCe +FfVBzLi+L1faidcwf4GWyeTfhvALXQnQGgVPH6PX0z3mwaeYHPWVXWJGcaF0bi3H +HaEb2YexTDkEVU0PUVYO40OgtmKVLmi5t+ZP+/dFasy9elzgM3sSmVc7IBp6BBCH +NgUcWcf1AoGBAOiti9raozwdA/wHAMaCCbgXq8Dg0+3LYnb0ob7w8OaHRl4Mvpup +7MtxPGmr9IOddf8/49+L9STsioMllGt0TrkMrlKyg/eglGMalvbJmUYw1kERtQZw +0CYYE8DXR3fvN+eMl1maZ4Wf048UugWQhsRGzOyUKcMXhAlIXwTevnCfAoGBAOfv +isxrw5vttRxfszZaWeomos9bk6NA9FJYG1rS6ocR+Ww2OpQSJVTmbjpYv1lTb9yr +PvcZtPbWP/6g8kjPTQQ+ZnJQB4RpWek0KlxwxC6JW5HzqMJFn68zX4/jE5kXqVow +Y+Sfgrkr4QXX8vjzp9GFRhAW6bA5DlswqH7XmB+/AoGARHYDx3I7Q026RWZ+GOpc +F7mHRKoiUT5di2ixSrA0AXBeCQAw+TZHQRjhUKpSuIMVG/RdhQH2MFYU7z+YawF+ +xD3x8M0rvSmXX42MS7LHkXp/IAgovmtlI0BEV6JAGg7d4Rhh0/B1c0Cyi8/qaAa9 +UHUQiK+Tlh6OL/kGVDWBzTsCgYBTW5Jk+e4pontPIU4FoN9j+lLVd7JOIFAvMB9U +uy0zMlCUhcDz6rmkE9VV/wN2lThE9P8CTCjv9fy2BR5O8MJbXhnvx7eL7Vk1KVx4 +MMcxeoiAojPq7p7/ltUnn5MxmIFzOqUMTA/tgUm0kfJvaxLLiLyvl6yRe1AfkhNc +0xuHfQKBgQCyQEcvtmR1Qx82ob5uTvBbKFDbSniiJMi9kgMk266PNRdg85Q4RC7X +j5KNALOb5u2oMT6/Hzi4KruDBc/6viXRuMYM+L1JIy8y6wcVjCQetxyUIGgc9Ouh +59bOkD+SOth52Y+AYFyCaJOSoTFHlTcLwCvk9gVdbgVYJi7/jyohSQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem new file mode 100644 index 000000000..a4e001791 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.d/private/aa.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAy6nSTRzCuTbfuv2FwnXC/R7+5L5WViVxBfCEkaxzW5GJJGTF +FbSbpQJxWk603BJHhlVAVj8jUNMKcOuj/l8UPNV8lcDslQfe/AZd6gqdCwP7uMsA +Q3yWfkZZK1jxTdTPdvcpLNozt7hmIroJVTGzmzI5YIvWbYT/zyEge6pEPaXr8IqY +zdWFCUINTXUGEr/Llt3IUKMTNnhabPHAbTIZ3i0c98Ci0ZzZjGx+JmVVvcY9lgNT +jS2xaaklUCq2auR/QzP7PxuSYkAF4qYhG7Ujeo7v4z79mXISFTlyqKe7k18wUKdf ++7suyGczSRMP6+5NjqNqab7l/SHwHQMVEE5ihwIDAQABAoIBAQCIvn5QfkYUG87+ +eyirV2xTjdMw/Md1UfBgP4yTTsmpqr79K5fUqg5zLX+0VfJDbRaPEICBKCVrKDfz +d5QFwAsTiXf8CKwQqFdEunWmJfgppEQIYGzN40IciNloLHDghEnEI9GGpv9glLQn +DugjRprEUmWJ+HpB0LH9fc2Ums704Fcd8ud3bStCRxU1TA5VGBHmnyK5/n1Lb1oB +01LoW8ins8lATuV+MAaWZgmCbPajfXY9wQGq3IDMVlOUOTxRo742T1GTrwBZR8ot +mgs/Gs1XkJRC1x9Z9Z1Cej1iC5llv0zX8AUdejczGHQGHj1a1Dg8FpRneW6rrLyK +vvKR8jtRAoGBAOpyk63yCPM2LqU4US5aHXPoLyyGeo4v7okTKIuoUfosQ4XJvylM +lEYoFVFKYBKcXRQhmeWyILtto2BBDnG1HWAi1MbUWLxDNEYieurzJiv4i0XbR6cH +mLhMMlQyKmwLRF5v3EiupjKBZRk2iYcx4eeL3gsUWUzRPeWJHKDgYF4PAoGBAN5i +xyOsU/32gQ6vLQxt8us6n3OBr1PiFg8JIdADPnKOCxJ5uS8dkqOQHCMKyvS9MWrf +3Wj4MOBEgW7fBBAxkvjJdPhBW70/pGM46mb991dTHJ4gIAzGxgvJIqw/FjqEC7Oo +vWDRS4dxW56Rs2tdLn2GRvvlS3+3z90twqS/t6wJAoGBAJpzhzT2Gc1YaZxxIJI/ +zd15HfLgWUbo7uWhGHoBFpiQpp8yDNzBVYFukLSwIeDA4FUN2dxH4GZ50ULtOP3S +Cps19yVR6W+Fep+lwYKdUw1uvRn1Xxv71jG8CQAM2IO7XHw2h1HetSDau+bDVhEZ +3LB1JX/5FOeVhYh9Lr4Rc4sjAoGBAJCTCv+oEtqyHOjc/Z5tBFXkwLCpCMCx5MFV +oIPI+BolOhGCzN9SjHiFQaWOaK9/J9dhPmH1qGDEaJkZp1yXvgK7ha23X9rCuy4+ +XDUkul4tDBfIrs1flHUpB7+PK/ZSzgC4nJWKu12MVpHaCxirdYPpfdBZGyIm753N +GBNfCBtxAoGAKkrHlsfq7GVVU7Jj1AlNCwmlm21vSJ45G3cNR1GpgdplB5JR1ldV +2kxA4xm8uFVIJ60OQ9VZ5Svaovqh8iX2sndSOZMefjH3qiDu/4mJqRA3xV5ugon3 +RAzinJzUU4tnk9pajOMD3FHOHvUO4hAJjVYEzqLIIRE7QhPuEpLevZ4= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/description.txt b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt new file mode 100644 index 000000000..7d9ebfd90 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/description.txt @@ -0,0 +1,7 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. They tunnel all traffic to the gateway. In order to prevent +local traffic within the 10.1.0.0/16 subnet to enter the tunnel, both set up a local-net +shunt policy with type=pass. +

+In order to test the tunnel, the NAT-ed hosts alice and venus +ping each other and the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat new file mode 100644 index 000000000..4d36673dc --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat @@ -0,0 +1,12 @@ +alice::ipsec status 2> /dev/null::local-net.*PASS::YES +venus::ipsec status 2> /dev/null::local-net.*PASS::YES +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES +alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES +alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..4c6e51df7 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%any + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftsourceip=%config + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + +conn local-net + leftsubnet=10.1.0.0/16 + rightsubnet=10.1.0.0/16 + authby=never + type=pass + auto=route diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..dabff38e4 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..90a8ae26e --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + leftsubnet=0.0.0.0/0 + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca23c6971 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf new file mode 100644 index 000000000..ade641503 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%any + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftsourceip=%config + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + +conn local-net + leftsubnet=10.1.0.0/16 + rightsubnet=10.1.0.0/16 + authby=never + type=pass + auto=route diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..dabff38e4 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat new file mode 100644 index 000000000..1ff2c0644 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat @@ -0,0 +1,5 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat new file mode 100644 index 000000000..b96aa0ce7 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat @@ -0,0 +1,11 @@ +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::expect-connection nat-t +venus::expect-connection nat-t +sun::expect-connection nat-t +alice::ipsec up nat-t +venus::ipsec up nat-t \ No newline at end of file diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/test.conf b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf new file mode 100644 index 000000000..bd82f03ad --- /dev/null +++ b/testing/tests/ikev2/shunt-policies-nat-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/shunt-policies/description.txt b/testing/tests/ikev2/shunt-policies/description.txt deleted file mode 100644 index dd78a5ef1..000000000 --- a/testing/tests/ikev2/shunt-policies/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -All traffic from the clients alice and venus is tunneled -by default gateway moon to VPN gateway sun. In order to -prevent local traffic within the 10.1.0.0/16 subnet to enter the -tunnel, a local-net shunt policy with type=pass is set up. -In order for the shunt to work, automatic route insertion must be disabled -by adding install_routes = no to the charon section of strongswan.conf. -

-In order to demonstrate the use of type=drop shunt policies, the -venus-icmp connection prevents ICMP traffic to and from venus -to use the IPsec tunnel by dropping such packets. Since this policy does not -apply to the localnet, venus and moon can still ping each other. diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat deleted file mode 100644 index a6e40a817..000000000 --- a/testing/tests/ikev2/shunt-policies/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO -venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -venus::ssh PH_IP_BOB hostname::bob::YES -bob:: ssh PH_IP_VENUS hostname::venus::YES diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 46ca4cdc3..000000000 --- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,40 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn local-net - leftsubnet=10.1.0.0/16 - rightsubnet=10.1.0.0/16 - authby=never - type=pass - auto=route - -conn venus-icmp - leftsubnet=PH_IP_VENUS/32 - rightsubnet=0.0.0.0/0 - leftprotoport=icmp - rightprotoport=icmp - leftauth=any - rightauth=any - type=drop - auto=route - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules deleted file mode 100644 index af0f25209..000000000 --- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow icmp in local net --A INPUT -i eth1 -p icmp -j ACCEPT --A OUTPUT -o eth1 -p icmp -j ACCEPT - -COMMIT diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf deleted file mode 100644 index a5cd14b30..000000000 --- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown - multiple_authentication = no - install_routes = no -} diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf deleted file mode 100644 index cd8ea23c3..000000000 --- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=0.0.0.0/0 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 8e685c862..000000000 --- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown - multiple_authentication = no -} diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat deleted file mode 100644 index 837738fc6..000000000 --- a/testing/tests/ikev2/shunt-policies/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat deleted file mode 100644 index c724e5df8..000000000 --- a/testing/tests/ikev2/shunt-policies/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::sleep 1 -moon::ipsec up net-net diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/ikev2/shunt-policies/test.conf deleted file mode 100644 index 6b7432ca6..000000000 --- a/testing/tests/ikev2/shunt-policies/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem index 4ebebba5a..a4d9812d9 100644 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MIIEMDCCAxigAwIBAgIBKTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE +b290IENBMB4XDTE0MDQxNDIwNDY1NVoXDTE5MDQxMzIwNDY1NVowaDELMAkGA1UE BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c -6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH -8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1 -XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n -hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9 -0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/ -rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE -FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzXQSXX8LtY/RlgvQxxCF +pq787RPVD1HQciKemGkzUcjC+J+3rHBKmPT68Prb/4j9ESYdPqvaI7KWGD7pkAv4 +BWv4rw5iAxKB7bEDSVg5Gjs9vXDifR27Pz8rfsQFo8+O9oYWb7Ah45TNU/B8+Pcr +Gajv0I7eHUbGJsKlgOOMBkSe3cbQd9jc54iv8AFFfMsh5riMz2+7LI8zaMzie3vN +aPjsSDcGTB7jDa9bY+ZMbHzdFaDzmodDrZNJOSKTeDp5QTuP/JTPrSCXiIqUEJbE +IUhWF2P1s8wH9SeW0ZQlw4Z0eETR/c7XQfzdJj7UCmWLJQ//eseoAXNc1DbV6EtJ +1QIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE +FGkt9dMYc1d/MRpfoo1q6zzwdBDMMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl 4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j -cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD -ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM -Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma -/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS -KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu -9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx -fmSZH0LzbAm+7XFrP71rBSJUaUI= +cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBAEbfq0PDdexYL9OqqD1Q8U0UXIRi3hvruqGM+KW8UbKisRqJJnow5wCYBJLI +MFC7ze24AcADe0Az+uLdKzClVZ+87i/vMse0dCGxSvKKwUtI9bFeQOourrBEHHRw +xJJcY9eGlsJoyJXyuT8sEXI+YqAaVDtcAYDa+OjIQNrJeIZDv9t/+1q1wlh0gvIz +zfndSfL4xEIf+lw1Flvt8BwTx4jDk6QIS4jUO3YtHzrtZ+171/iqmSvGrEmfVceq +1KOn7zNgh7XHmqE92HU63R9sVu3zjVSzuAMIVDqT5v8qU6T85NJE8ebYXi/RL8ON +btGZ7+y4Z4CbdkjLZ+Oxtew0nwk= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem index aec8e7a33..c1f4b179f 100644 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAtXtFcjNbEEK76mVv1j3c6YWBeunBl7V9Qf1bPpzwTTUIKFDk -g6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH8DKE1MaBOgvnW01vh2p1j8jW3VXS -wBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1XaJSGAvwG3Jap9/gChClAv65zg34 -mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3nhgxJ7+3q9vX+z5EqUQB59WBzVz7f -U9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq90k/+Z3gKIHbi6YIoIXDs7bOSaw8m -yvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/rQIDAQABAoIBAFekBUCGPobWw2sJ -u32J+IIpgAL8mgoKkkfo80SEg6O1ZZAaqJBNBZNRSRs+0zs+L+b2U4m88lg9Jf5Y -EZqhgd3kd7NNfaCrmPnFpoONzOI4ClNvG8y5VcwMaNezcAmCQ+bFxd6J04IGjZhP -/HYWLJVgSybjtPt8OP1zJv2VVirgSb1rHOzI9j1CsaIl6m1gcXU2hA3A2/BIOd6Y -UgCxJKu8G7NsmW14TSbJshcI1tUFOfbxFlAhmeAD57Kw6eC2GVwuBhghAYCNbpx0 -TYcQeTsBUjubna30K7+8lU1uiblKNLDqAzWynHz8xm1QEo0Z7txP9RRJUZDzlpmx -u9iCMp0CgYEA6ZSexI3igJ68bdTOBwdbFtA9wqUTbYj6MULfUkFwqGLswLpNhhGv -Y9X8YHUjcWEEoLXZb9QftmQc1R/nFCWC2slBBrKw9oERUUVYoczNpbkqJI1fjVfJ -lNFgPXqQlRGIgSzSZr0CdBVs2VZKp19izQRQQI8d3ATD+Q4503dorgMCgYEAxuaC -jow+vgcNt0DxlVWiV9rYGR7sDPJhdDyWgZ+yfaG0lVaX/81cEVxalUKTGHeHrhFs -tIrZbRaIo9+XINzqCBNqfgauAZRFCvDv/BQPoGW+XKe+nH7DcC5PH8lcH6k1uGlq -1KaRPymLRF8/PMmQ92o5Gk6H+Ah523hOJSv5BI8CgYBXH91cmUO8D/leyjqS+pZq -WwA+Yw5tE+Omjjf4WXppBIUkmhkigeQ2y/FYFTlEKBjuzQWupaOyh4MNp9msdRVr -ABhmJC7Hs3q/IqudpmOqhfeHLMhQU0dYYASSye21/JU7AXn1YljQ7dDs/DfaWETl -Dc/VVMyhbZGfi0PccbS0+wKBgQC686+DjQ7sTnT16nUoiHUvXuP/uLDm+mvfdZOC -AzkiHPw/4kS8i6oeJ1B9OzZHqRI+6uHiUSBNCQEmBuNmYD8ZmCZgjqa/lT3QKudn -aPPHL9rd/E2NixjoOJ7mob2VhNaZn3xqpKWhWMsuWNh3qn44D//cWjQzTsQ7JblN -9yb4wQKBgQCUs7wKhD/c45ST7bWH3C/iXBXsUwJrVPLKrCxl5vzkKTiDevMDVndo -/jRAVk5UQEGO+R2eaqsgEujsS+ypGG1EWAdDyQ/6v8/34I7UF/bh5lZYOh1dXr6F -PIROdfotGWYq2ituq1IbJMKFwhZLM7CRqnr0qsb9UaZeeuhqB3PAKQ== +MIIEpAIBAAKCAQEAzXQSXX8LtY/RlgvQxxCFpq787RPVD1HQciKemGkzUcjC+J+3 +rHBKmPT68Prb/4j9ESYdPqvaI7KWGD7pkAv4BWv4rw5iAxKB7bEDSVg5Gjs9vXDi +fR27Pz8rfsQFo8+O9oYWb7Ah45TNU/B8+PcrGajv0I7eHUbGJsKlgOOMBkSe3cbQ +d9jc54iv8AFFfMsh5riMz2+7LI8zaMzie3vNaPjsSDcGTB7jDa9bY+ZMbHzdFaDz +modDrZNJOSKTeDp5QTuP/JTPrSCXiIqUEJbEIUhWF2P1s8wH9SeW0ZQlw4Z0eETR +/c7XQfzdJj7UCmWLJQ//eseoAXNc1DbV6EtJ1QIDAQABAoIBAQCiSRgkoDDolpSv +199vDl7z3e9NeUfnlPF45l2t+BMge9t+NfMIk55pGcGKTi0uuM9lF10sXuStI+ip +eDBXpwyfg7zo0gybbqgQz6zP548baEYJeLx+pdh9SfGabU4jKdU8Z4gbat4p/ST/ +M8wTgHGcEDR14hQSvg/RGBlRKOw3Gdq5+lWWHePfL0Lx7xmvXDcrOxtgN3aaQaHB +b6bcb6V6vxcXeQR5eLV1k5mHFauu0wunFOimJrzozBfaUmlsOCGI1t9+3F0HPH9U +SL4CHDQkzb8owE+3PNDAFKlads7/3dkp5bS2YeWNwYUvCLcima2isyH7eQa033Aw +LK+XvgBhAoGBAP55aQGGmuXbdRvOa7YwobQHaUppV/ZLPSQlrmbeTCVv4SN0OmvT +DQh+VjlQ0+XhJudhIGRTdVns7xi5BWy1H2dPvOOG0VX5xVLyEVcyOfAmII8zP3Mo +ZzzShehwfi7Pu4hlGwt/oaFuIID9nNROJ8wxF0KsHaTnJvJIAP9GEu0dAoGBAM6v +a4OGeNkWrGfSJ1PQXkV3r49Uib4n8ToWbAmbKn5lf+Hq25+3p94ontm7cj7NSq6q +iOYPrnG/r9of+ikCU+065RpI/Xf91Yf3uy5YXY8GUTumknXCI8nXE4Nt42HrW1pB +hoFh/Z4dSs6jX8G3LuJiPdvQ3Bi5SsOiEaFruwoZAoGADMFfLxFlMEJY02T8Zyx2 +3oREldND8neBAA/XdxaLcJD0EwffacoxbAyRG9xeUrZ/cbefnQfF6RUEQxP7HqDR +iycnC6yVT57uciLqFZnR56SxmxvxgT80NYtD5QvGd2g4OTUALwpduq6/eFe+BbJJ +MmX/iXsBHWPswtYzHpiPmE0CgYAy+gkmc3Ay+uii4q5YebgGojJmw48Fm4xfq1AS +PncInbgg3HA2wHFi1dn4EcdnvfKBigYh2BRKceDJh8GHg893X2NKTF5Xzf9wfaVp +FNpegExgzgCpkqyJB8cET4IZkJcDd83Y83Y+HTNqK9leSfQCWgCvyp++aVULU1nN +2mhTYQKBgQD7MvZ4zXOHCqWQpYyKAMxAo+0xoZcT6LCNYRfkehwYQRRtVSH74S0Z +npadWcLXCuIJULgPD/JxCqHBylEoRjFC6BYmqTJJva7mLkf9es09kS7MPmNxGs60 +S0Wg4PBCXe74uN7+IgziCoSBGiUxTg36B687+PesvhhCnsTLFYbYZA== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc new file mode 100644 index 000000000..6524773e0 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/613A3B61 2005/08/07 moon + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd +JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9 +FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6 +7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3 +0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN +8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7 +QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v +biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4= +=YFQm +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc new file mode 100644 index 000000000..de2393649 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/79949ADD 2005/08/07 sun + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI +Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1 +GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg +vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2 +LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn +2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs +xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu +IDxzdW4uc3Ryb25nc3dhbi5vcmc+ +=DwEu +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/pfkey/compress/description.txt b/testing/tests/pfkey/compress/description.txt new file mode 100644 index 000000000..4c60384f0 --- /dev/null +++ b/testing/tests/pfkey/compress/description.txt @@ -0,0 +1,4 @@ +This scenario enables IPComp compression between roadwarrior carol and +gateway moon. Two pings from carol to alice check +the established tunnel with compression. The packet sizes of the two pings +are different because the kernel does not compress small packets. diff --git a/testing/tests/pfkey/compress/evaltest.dat b/testing/tests/pfkey/compress/evaltest.dat new file mode 100644 index 000000000..843326ecc --- /dev/null +++ b/testing/tests/pfkey/compress/evaltest.dat @@ -0,0 +1,12 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES +moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES +moon:: ip xfrm state::proto comp spi::YES +carol::ip xfrm state::proto comp spi::YES +carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..78809898b --- /dev/null +++ b/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + leftfirewall=yes + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2061e52e9 --- /dev/null +++ b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown +} diff --git a/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..718b3c814 --- /dev/null +++ b/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + leftfirewall=yes + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..2061e52e9 --- /dev/null +++ b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown +} diff --git a/testing/tests/pfkey/compress/posttest.dat b/testing/tests/pfkey/compress/posttest.dat new file mode 100644 index 000000000..046d4cfdc --- /dev/null +++ b/testing/tests/pfkey/compress/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/pfkey/compress/pretest.dat b/testing/tests/pfkey/compress/pretest.dat new file mode 100644 index 000000000..29a90355f --- /dev/null +++ b/testing/tests/pfkey/compress/pretest.dat @@ -0,0 +1,6 @@ +carol::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/pfkey/compress/test.conf b/testing/tests/pfkey/compress/test.conf new file mode 100644 index 000000000..d7b71426c --- /dev/null +++ b/testing/tests/pfkey/compress/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/description.txt b/testing/tests/pfkey/shunt-policies-nat-rw/description.txt new file mode 100644 index 000000000..7d9ebfd90 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/description.txt @@ -0,0 +1,7 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. They tunnel all traffic to the gateway. In order to prevent +local traffic within the 10.1.0.0/16 subnet to enter the tunnel, both set up a local-net +shunt policy with type=pass. +

+In order to test the tunnel, the NAT-ed hosts alice and venus +ping each other and the client bob behind the gateway sun. diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat new file mode 100644 index 000000000..4d36673dc --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat @@ -0,0 +1,12 @@ +alice::ipsec status 2> /dev/null::local-net.*PASS::YES +venus::ipsec status 2> /dev/null::local-net.*PASS::YES +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES +alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES +alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..4c6e51df7 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%any + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftsourceip=%config + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + +conn local-net + leftsubnet=10.1.0.0/16 + rightsubnet=10.1.0.0/16 + authby=never + type=pass + auto=route diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..7e96bf1c4 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..90a8ae26e --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + leftsubnet=0.0.0.0/0 + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c0f605d26 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown +} diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf new file mode 100644 index 000000000..ade641503 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%any + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftsourceip=%config + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + +conn local-net + leftsubnet=10.1.0.0/16 + rightsubnet=10.1.0.0/16 + authby=never + type=pass + auto=route diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..7e96bf1c4 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat new file mode 100644 index 000000000..1ff2c0644 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat @@ -0,0 +1,5 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat new file mode 100644 index 000000000..b96aa0ce7 --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat @@ -0,0 +1,11 @@ +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::expect-connection nat-t +venus::expect-connection nat-t +sun::expect-connection nat-t +alice::ipsec up nat-t +venus::ipsec up nat-t \ No newline at end of file diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/test.conf b/testing/tests/pfkey/shunt-policies-nat-rw/test.conf new file mode 100644 index 000000000..bd82f03ad --- /dev/null +++ b/testing/tests/pfkey/shunt-policies-nat-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/pfkey/shunt-policies/description.txt b/testing/tests/pfkey/shunt-policies/description.txt deleted file mode 100644 index ad98eb8d5..000000000 --- a/testing/tests/pfkey/shunt-policies/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -All traffic from the clients alice and venus is tunneled -by default gateway moon to VPN gateway sun. In order to -prevent local traffic within the 10.1.0.0/16 subnet to enter the -tunnel, a local-net shunt policy with type=pass is set up. -In order for the shunt to work, automatic route insertion must be disabled -by adding install_routes = no to the charon section of strongswan.conf. -

-In order to demonstrate the use of type=drop shunt policies, the -venus-icmp connection prevents ICMP traffic to and from venus -to use the IPsec tunnel by dropping such packets. Since this policy does not -apply to the local net, venus and moon can still ping each other. diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat deleted file mode 100644 index 6ba3a988f..000000000 --- a/testing/tests/pfkey/shunt-policies/evaltest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon:: ipsec status 2> /dev/null::local-net.*PASS::YES -moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO -venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -venus::ssh PH_IP_BOB hostname::bob::YES -bob::ssh PH_IP_VENUS hostname::venus::YES diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 90a5d61b1..000000000 --- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,40 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn local-net - leftsubnet=10.1.0.0/16 - rightsubnet=10.1.0.0/16 - authby=never - type=pass - auto=route - -conn venus-icmp - leftsubnet=10.1.0.20/32 - rightsubnet=0.0.0.0/0 - leftprotoport=icmp - rightprotoport=icmp - leftauth=any - rightauth=any - type=drop - auto=route - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules deleted file mode 100644 index af0f25209..000000000 --- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow icmp in local net --A INPUT -i eth1 -p icmp -j ACCEPT --A OUTPUT -o eth1 -p icmp -j ACCEPT - -COMMIT diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4582e1473..000000000 --- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown - multiple_authentication = no - install_routes = no -} diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf deleted file mode 100644 index cd8ea23c3..000000000 --- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=0.0.0.0/0 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 902d83c69..000000000 --- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown - multiple_authentication = no -} diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat deleted file mode 100644 index 837738fc6..000000000 --- a/testing/tests/pfkey/shunt-policies/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush - diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat deleted file mode 100644 index c724e5df8..000000000 --- a/testing/tests/pfkey/shunt-policies/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::sleep 1 -moon::ipsec up net-net diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/pfkey/shunt-policies/test.conf deleted file mode 100644 index 6b7432ca6..000000000 --- a/testing/tests/pfkey/shunt-policies/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/shunt-policies-nat-rw/description.txt b/testing/tests/sql/shunt-policies-nat-rw/description.txt new file mode 100644 index 000000000..7d9ebfd90 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/description.txt @@ -0,0 +1,7 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. They tunnel all traffic to the gateway. In order to prevent +local traffic within the 10.1.0.0/16 subnet to enter the tunnel, both set up a local-net +shunt policy with type=pass. +

+In order to test the tunnel, the NAT-ed hosts alice and venus +ping each other and the client bob behind the gateway sun. diff --git a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat new file mode 100644 index 000000000..4d36673dc --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat @@ -0,0 +1,12 @@ +alice::ipsec status 2> /dev/null::local-net.*PASS::YES +venus::ipsec status 2> /dev/null::local-net.*PASS::YES +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES +alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES +alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..50eccad21 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql new file mode 100644 index 000000000..b1f5c7d10 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql @@ -0,0 +1,199 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* alice@strongswan.org */ + 3, X'616c696365407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org' */ + 11, X'05da04208c02f428470acf6c772d066613da863c' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org */ + 1, 1, X'3082041f30820307a003020102020119300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303732345a170d3134303832363130303732345a3057310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311d301b06035504031414616c696365407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d88d6a4811e6972dd0daa2adf3c911bf5edd8664607bea67f45427a11af59184f0ab90c46007b8b5aa69fff71ab2ff2d822cd5f4c9ec94cd32ef8f49e73c91ff48e40c48b4fcdbfae4b023d857431865349f15f998ecf50dc65ffe7dc12dc37071788bc6fcf08fdfeda2c6c073a84724ff5193d73c622b1d2f545a1ff9d3ffd0fc62eb7a2be85bae427e3ee8362df0313630641e4cc8f639abd311718c843dad0634cd06cf361f204910cfc9ee48bfea590ae62e6952e8ab70e4bdc75ec51a2a29c6b74c48ee32c65a1e32b27ae330dc4acd1b762c84ea48fb684d3476241e9ae7feb9e38981d85184ae949dfcb8064e6c333a096864ba6c420b0deb18e952fb0203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041405da04208c02f428470acf6c772d066613da863c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d11041830168114616c696365407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b0500038201010056bf83e11c656988b179337467a902d2a111632aa9f737d59ef35456c15469073c285046878b37a569572df45260eadec593f0fc174c1a8391052a5720290f1f77fd2a2c4dfddeec066f80efaa5db0e3d34514352c939142fa93140c062c587c85bb6e96298e647da33034c3491cae9ee26ebe5a6a32e6e9646adc032510ea9321b5d5827fa749f41c01b50c12682fdd3bf54fb14314fef5ad9fed368e07f51b40d3af3a0a9a75d939b940d38ea9d8fdb96d6c002eb88d5934cacf082354a2b71d8724896f5b6517f2574d307a37ad17a984589e4e53d727ed354d00036ea082c92fe0c303c206021acc99b825fdbd6f97b00ad1409e5fb1264388eed1f054f6' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org' */ + 1, X'308204a40201000282010100d88d6a4811e6972dd0daa2adf3c911bf5edd8664607bea67f45427a11af59184f0ab90c46007b8b5aa69fff71ab2ff2d822cd5f4c9ec94cd32ef8f49e73c91ff48e40c48b4fcdbfae4b023d857431865349f15f998ecf50dc65ffe7dc12dc37071788bc6fcf08fdfeda2c6c073a84724ff5193d73c622b1d2f545a1ff9d3ffd0fc62eb7a2be85bae427e3ee8362df0313630641e4cc8f639abd311718c843dad0634cd06cf361f204910cfc9ee48bfea590ae62e6952e8ab70e4bdc75ec51a2a29c6b74c48ee32c65a1e32b27ae330dc4acd1b762c84ea48fb684d3476241e9ae7feb9e38981d85184ae949dfcb8064e6c333a096864ba6c420b0deb18e952fb0203010001028201005877fd918fee9a9897189b1961dd2528ff8294e2f11feeb5a575b3f2f766979aae10094690ccd6c330e9b92ea473b818497433bc9bb9d158bb946eff8c3e8c8eb4a2a5fa1626af6022896b3b78faea3e7e6ef7b54eaa8fba9eee9cb3977630c0013b742f492aa63c9f82be9be5243c5c7b0a42d1cdd37535a91e56eb754f0cd4fdc52d015f22635c84b70fcaca2c8bfc8eda277cd9d6983ee6445224b283ad195fd3143e23b018d765eb4a299b2eac66c95996abbe059bf60058682f8bf371d38660fc2e30a7803e8b316d37ccd68e4b58d5bad1ac29d17d411c7afbf984fa85c5f38f16607dc7b997ffc787e6fd93f9747db30a05f76c561f1439eed701e0d102818100ebd741cb81a87794d6d45c93ec36e028777b055b4e54b8ec6d0c5cf1434137f9877a650632cd6f95e996d193dd754dbfaea7778e566e3f8cefffa0fd399d289a2f1ab9e8ced96c006eeb7a2415fe765bc5f7ea30c94de10ab6b27056b1648327f89cd76c8ba799552b544d50be904568d5e50b8edc3bc0a6425315d270a1cd9f02818100eb10151752f48aa212b02bb4ab588ce0bb47553f78e28f35e41f1195110e3f144e5c968943ca61550813e4f5d19076439f9e5998aaa4017d8ac230508f429f52f989e83f13e8e64e7b4f3fa12c2206b069490b07dc003b9a60d7c93de046c99ad239e370d1a379c1bd5576c98999c17ad19d2eebd29d561f764730e1ab6d85250281810085a14c689128f1c8e6092203b6de4918e4ca51f8b06394fc71b5859c36ad6797fdc9be204afcd8732b0e07e62e9f5ed47393f44c3470f795560f941aa760833709e5acdd5b071b090bd0653eb92f9bc4d86166d309dd14dc4b34c42e7b0926bfa940c5577db213518ce1918564d4be5f6e82ff8f8cfe56645e4451a311aabca502818100ba03b20d11127f9a9e1b579ad37571966ddd97327161285f4734e6df05ee3630c58a337e506d18f5073d6714b8500fa697ebe18f148a50bb9e50e996f6a78c19476bc0a41a075629891f3f8535bd7f799ef7b488f5aa21809b5e67dc555cef315b677ffac98b0a512c9933356d74854dc20f17107b4d12d836eb435d72216b190281804440408c4ca3597067faedf8e603a3cca4c1a5c1b5469b25d860ae08f8844d5055b2ae935a966aff2d78fb9b5118731e012bb06ba435209e6f2adfb040c183a2a0b24558b2b9f225b507e42f83a8e5c27afe65a621671f780ff48bf46b9041342dc6515ec7859a95eed1f3135db7bc6e5490faa44de6155917378f8eac8f8459' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_ALICE', 'PH_IP_SUN' +); + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + '%any', '%any' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'nat-t', 1, 4, 5, '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'shunts', 2, 7, 7, 0 +); + +INSERT INTO child_configs ( + name +) VALUES ( + 'nat-t' +); + +INSERT INTO child_configs ( + name, mode, start_action +) VALUES ( + 'local-net', 4, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 2, 2 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 0.0.0.0/0 */ + 7, X'00000000', X'ffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 3, 2 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 1, 1 +); diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..2f01cdcce --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql + + keep_alive = 5 +} diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..50eccad21 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..4e9975912 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,195 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'3082042030820308a003020102020116300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373039353930345a170d3134303832363039353930345a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c10203010001a38201193082011530090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041456d69e2fdaa8a1cd195c2353e7c5b67096e30bfb306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100a37ecb613f40c31d0c2bf9c0159a4f26a52bd04cbe3b952472c771ee7774d12966a6241163c2a6b915c20509c312074bb2d777b254234f4a49120585d29cf1c9b9c8e9e3b360084b7e16abb7e5f58544623466d78e0826dace08e7e2b7d9b54890d12a96c62777fe85f68a3964d3b4fde4d3aee2d97e435eff372104629efd9ecc69c57095859609b32d055e0ad5de5d19c45182943d5a2bc39666ad361f7096c7034a04869371c991bc67abaf7954def351b0d6014bd65a15796c80e394047fc724fd029a88c62c95551ba57d8ac4ed4d391dbb7a1a002ba0028ba7aa89ba9f7e4f14002928ca23027485feceb98c90f1366d5474bb00e866f93ff91bf8c618' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'308204a40201000282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c102030100010282010031f9d618cddb393d1d5825426713016cdc5227b970b321acff8cf66b42f0ede3702c30158e8ec1f9db314f031f2d0632a1e0e6507c6fdf545153f01cb0338c3c3f11291cea9819b381048494ecc492ecbd39de3e01ecb048325e75dfee045512a2643e885fcbe672d140877885105e2325390ef183b883321c0d6be51d592b79dfd0f3b522a29509f6c5d3d98c59cc4f4fe9aef978340ffc667e78fd27560eae7245d2d66fa10ad55ef2277ebcec65d1d63cc6b60cbb4d7ba77142554d8817ed174fd539fa8160fc60043f45f4f40dd5989b85874a049bf7f356f250591f6cb2de183e94d8287d712f4df0643b94325b7d4b22bd2d095eb384921c63d33168a502818100f6c92d6977e13cb7b41028dd79010eab910ab83ac2be248a08eb8057804348eb1dc3afb92d67d855bfe891ef0def494bdd109b95c8f5a4e296522d8efd2a4425d0d176e8b0da033d717b77fdb0a14931c2e13b08c7137f0dbf4e1a0ef6919e2c458e40bbecf20004180705e1156bb1d7de09939a8ad096e5346f49e5032a643702818100e7ee610601d43043bea5d304e6502249ce4f70d4de8e903a8fe3a2902878fc7157cb70bf74bc7e0acd7e7a0c3ae1cf2255a22f344a3b9fb13d2347b75ea6a73d15e1327051acffb7f4e56c58f999d7c2e2d878bce0ac09ca2f18d759775c93aa698a45c0c554b99a7147475f1b993fe46c13fed12499006094e806de6db350c702818100e26dd577d6a1579769e405caa7329c26388f3057e1c49a3bf85133d19502a74dea6258c1bbf272e0c292fe0aebab28822dd4061cd964e123712ef75421defce601819eeb8310953674000829413dcaad9894151949a70ec52b48dac9eddbcfd7e8fdcb5161e6ecb2d4e4e4b50f755f98a3c5ffa325489b9ab39084a9564d37e302818047f5087b21a42099541404a55783732fece76ebd4c9374a206b47c62377c59ee1c6c0cfe098cd59a2a695c1a61465fca6a41185e23cddddcd27818af0699b3f75acb74a7ae5f7b332ab2e76baf7d1098f162720b3fb580900f0ea8f9a3f3c008b617e54e4aaadfaed0086a5752abb84bf95036d5d281f9c0fd5203978cf77e4f028181009b29e83640d4b6aa13c81bd79aa890d13aec66c5bff4eddece05cb60320c55bca86a5bd856e364b2809e7d7f2cf94231416927dc39d7f88242b211ac15a38e7fabaca6210537ed1e2f178096f59dc27da21bc09a7b2dc1d5cc7d3bb28fc736c66e6ba19609208b254e4c782462673936445892f4a21a2cfe2066776fe255ce89' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'nat-t', 1, 4, 6, 'vips' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'nat-t', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 0.0.0.0/0 */ + 7, X'00000000', X'ffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'vips', X'0a030001', X'0a030006', 0 +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030001' +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030002' +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030003' +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030004' +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030005' +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030006' +); diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..16e934968 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + attr-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql +} diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf new file mode 100644 index 000000000..50eccad21 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql new file mode 100644 index 000000000..e00d00e34 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql @@ -0,0 +1,199 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* venus.strongswan.org */ + 2, X'76656e75732e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=venus.strongswan.org' */ + 11, X'8f5c0a6cb147fc1b51708046e0636c7a54012d67' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=venus.strongswan.org */ + 1, 1, X'3082040f308202f7a003020102020118300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303532325a170d3134303832363130303532325a3047310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311d301b0603550403131476656e75732e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b3452cb2d9328eebcd929c7fbe66652a90484c9c8699f4df163974d6e538754570cc4df28659463cb3778a32d2b5e1cfde8a546c335de5d1b8795b1af43522a8826593f83eb67292e487506c0eb251fd67207af7f6d56e90eb57ebab0c787054f8ce3a283eebe1146b1920584f516cc88bf8ec3dae936e27059ed27f6f8ba154197cc21577274819f1f1990271ca6cd2f349a1e7b10ddb2ef4a07f473309ff6db19bf16af2b0dd3d5956cd6d3daf75e617dce2578b4c6c993fd89debf5543f41da66c0fd709fe1ce39c452f51f1290ffe45396663acfa9b8ac116e1460ac70b3db6b9836f74997aaba4c4a9b9651a80845998e69ea32777c76e6a6d8c0d7b9430203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604148f5c0a6cb147fc1b51708046e0636c7a54012d67306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d1104183016821476656e75732e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100ae4f8bf839636df8b4471315613455d83870ac487d945ec0538e648d73fd159fce8a8f67a6330f5e41d6da0a66b006b2aca1749e3243f070c49a5d80d0ac70c7a593332e6dc2d72fd42e80f4b8873e0c2e4251dad0c2640fe61544c46c043074d482c52a3f974bd9e4a5d483dcb9cd98425a96621c90579f3ff9ebbc272b5e89df1f5362d761e2c4fecbed2f1e0be8b14b36b2b45390ad960c3c6587d5d3721ec3672acbba245116b5a373acbd4e1547fea40d5f0101ab6b7d5188d0515cb1efb81542688bacf53b5232f8201a19981355fd5275d3eae61a3d5e1b59c3a60abaa014eb6c4b2ff08c7bcbf33389307c3ce8f774a8e5d9466645507031b9cda989' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=venus.strongswan.org' */ + 1, X'308204a20201000282010100b3452cb2d9328eebcd929c7fbe66652a90484c9c8699f4df163974d6e538754570cc4df28659463cb3778a32d2b5e1cfde8a546c335de5d1b8795b1af43522a8826593f83eb67292e487506c0eb251fd67207af7f6d56e90eb57ebab0c787054f8ce3a283eebe1146b1920584f516cc88bf8ec3dae936e27059ed27f6f8ba154197cc21577274819f1f1990271ca6cd2f349a1e7b10ddb2ef4a07f473309ff6db19bf16af2b0dd3d5956cd6d3daf75e617dce2578b4c6c993fd89debf5543f41da66c0fd709fe1ce39c452f51f1290ffe45396663acfa9b8ac116e1460ac70b3db6b9836f74997aaba4c4a9b9651a80845998e69ea32777c76e6a6d8c0d7b9430203010001028201002f45f48d8d1cf9f7509472d474df079a7bc5b4fe29b87b8c408e123380eaac720d56b2cf5b823b355296194961ab38cada025c54d40ed4c5c301ad76a42346ea6cc86086bbf2dcafc3b7b30b6bacb6563e55a057b72d7d24960aef4881d758b7ef8c6265ae82012ea3375302369860395a3fdffc3c0700ab259e461ff8c83758469107b2178f13fb996880c7d71810ef6bfc2ace9f9f3dec4d82ba74965f67610c512d82b1d6ea617f97ec248b90cec556cf8ed31173d34005ef1c9f203f513fe9d21a43e7cbad3f3b9564a8eddd0b5a570acdda017953501b0fd1a1d61c51d72087c903de5f432d15ee0a83c571d13d122794574445891e6cce1272d9dfc58102818100eaf147f15cdcf46f7d2c86465f611f3837f027ad93cc33ce82ab9b50ca5046ac9d4f103d19a3c62b2a05ec61182b72bcb238bfb87d6a7288144b8eaf5cd72f9b9c5eec1e4e3e07d32c5ead7cc695781bc0e8f7c63a2af1ab3beb1434e9f837489ce38ef4ac2f5542cabd6b487a14884f5d848ca5cfc6730287fbd33769e0836102818100c3568067b881ace3d24c57f74beacc804312bf7b39efc61383a86568d7c3bd3102f734040e0ee4e0cc5f7d1c8128baa274b525659adc4eccdd3b6e5ce7ac3bc6317070bc25159b9aa2e9459fe38defbfdeb9db420231a39e6c5442eaeece6a21f18c8bcc1074a041b39b8bb8e812b7fce0c8cd0c6964bd0c5144d79622dfa323028180392b0af17d423aac624e12424f75278e9b75f181b824093b27eaaff961b154f12dba0e5e7fbdad3bd596e964dae7bf9c90d56439753310b9720ecca27939d758cb1d01e181f2701eff7dee431d63437da55c4ae64e4322d922d459ef623b46e0816491e5917c5707d0a374d686f63610f1d58e0fced620282e84a569a776bd2102818062d907297588c980900eea04ce7a06fa70f6afc71fce6221c5e2154f34c06ca0bcab73bb099227e84a039840306bf7e5f5c12527817232be20c5ce575d351f1a7032421a3379f7c00ce896bf0e5be912e3169209992a9d6db1cc0200f8cfa38d81ba6993de4fe638d936c141d4ce8424876b95b7ce2d982cff8322c56ae8589902818050666db5164e14c675a5a10ab49cef6dfedb60d92a5b588863901500df38838004277f75d161f15e1efeb855b2054e1f532d10824f478a14916df9eada5bf034d59478c426b7cb755a91065034fa147e0ba030f77ef1db9b1634cb94016c3bda9647887ba112756d6e84bcf10b309165290036d31f89508abd038e063c5b7dea' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_VENUS', 'PH_IP_SUN' +); + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + '%any', '%any' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'nat-t', 1, 4, 5, '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'shunts', 2, 7, 7, 0 +); + +INSERT INTO child_configs ( + name +) VALUES ( + 'nat-t' +); + +INSERT INTO child_configs ( + name, mode, start_action +) VALUES ( + 'local-net', 4, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 2, 2 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 0.0.0.0/0 */ + 7, X'00000000', X'ffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 3, 2 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 1, 1 +); diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..2f01cdcce --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql + + keep_alive = 5 +} diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat new file mode 100644 index 000000000..f410dd776 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat @@ -0,0 +1,8 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +sun::iptables-restore < /etc/iptables.flush +alice::rm /etc/ipsec.d/ipsec.* +venus::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* +moon::iptables -t nat -F \ No newline at end of file diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat new file mode 100644 index 000000000..0314e7ad1 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat @@ -0,0 +1,20 @@ +alice::rm /etc/ipsec.d/cacerts/* +venus::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +alice::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +venus::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::expect-connection nat-t +venus::expect-connection nat-t +sun::expect-connection nat-t +alice::ipsec up nat-t +venus::ipsec up nat-t \ No newline at end of file diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf new file mode 100644 index 000000000..bd82f03ad --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/sql/shunt-policies/description.txt b/testing/tests/sql/shunt-policies/description.txt deleted file mode 100644 index 269e7957c..000000000 --- a/testing/tests/sql/shunt-policies/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -All traffic from the clients alice and venus is tunneled -by default gateway moon to VPN gateway sun. In order to -prevent local traffic within the 10.1.0.0/16 subnet to enter the -tunnel, a local-net shunt policy with type=pass is set up. -In order for the shunt to work, automatic route insertion must be disabled -by adding install_routes = no to the charon section of strongswan.conf. -

-In order to demonstrate the use of type=drop shunt policies, the -venus-icmp connection prevents ICMP traffic to and from venus -to use the IPsec tunnel by dropping such packets. Thanks to the local-net -pass shunt, venus and moon can still ping each other, though. diff --git a/testing/tests/sql/shunt-policies/evaltest.dat b/testing/tests/sql/shunt-policies/evaltest.dat deleted file mode 100644 index 51dd9610b..000000000 --- a/testing/tests/sql/shunt-policies/evaltest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::local-net.*PASS::YES -moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO -venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES -bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -venus::ssh PH_IP_BOB hostname::bob::YES -bob::ssh PH_IP_VENUS hostname::venus::YES diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a7fa09213..000000000 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql deleted file mode 100644 index 4ece72ca1..000000000 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql +++ /dev/null @@ -1,227 +0,0 @@ -/* Identities */ - -INSERT INTO identities ( - type, data -) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ - 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ - 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ - 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* moon.strongswan.org */ - 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* sun.strongswan.org */ - 2, X'73756e2e7374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ - 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* %any */ - 0, '%any' -); - -/* Certificates */ - -INSERT INTO certificates ( - type, keytype, data -) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ - 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' -); - -INSERT INTO certificates ( - type, keytype, data -) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ - 1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f' -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 1, 1 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 1, 2 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 1, 3 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 2, 4 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 2, 6 -); - -/* Private Keys */ - -INSERT INTO private_keys ( - type, data -) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ - 1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298' -); - -INSERT INTO private_key_identity ( - private_key, identity -) VALUES ( - 1, 4 -); - -INSERT INTO private_key_identity ( - private_key, identity -) VALUES ( - 1, 6 -); - -/* Configurations */ - -INSERT INTO ike_configs ( - local, remote -) VALUES ( - 'PH_IP_MOON', 'PH_IP_SUN' -); - -INSERT INTO ike_configs ( - local, remote -) VALUES ( - '%any', '%any' -); - -INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike, dpd_delay -) VALUES ( - 'net-net', 1, 4, 5, 0, 0 -); - -INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, auth_method, mobike, dpd_delay -) VALUES ( - 'shunts', 2, 7, 7, 0, 0, 0 -); -INSERT INTO child_configs ( - name, updown, hostaccess -) VALUES ( - 'net-net', 'ipsec _updown iptables', 1 -); - -INSERT INTO child_configs ( - name, mode, start_action -) VALUES ( - 'local-net', 4, 1 -); - -INSERT INTO child_configs ( - name, mode, start_action -) VALUES ( - 'venus-icmp', 5, 1 -); - -INSERT INTO peer_config_child_config ( - peer_cfg, child_cfg -) VALUES ( - 1, 1 -); - -INSERT INTO peer_config_child_config ( - peer_cfg, child_cfg -) VALUES ( - 2, 2 -); - -INSERT INTO peer_config_child_config ( - peer_cfg, child_cfg -) VALUES ( - 2, 3 -); -INSERT INTO traffic_selectors ( - type, start_addr, end_addr -) VALUES ( - 7, X'0a010000', X'0a01ffff' -); - -INSERT INTO traffic_selectors ( - type, start_addr, end_addr -) VALUES ( - 7, X'00000000', X'ffffffff' -); - -INSERT INTO traffic_selectors ( - type, start_addr, end_addr, protocol -) VALUES ( - 7, X'0a010014', X'0a010014', 1 -); - -INSERT INTO traffic_selectors ( - type, start_addr, end_addr, protocol -) VALUES ( - 7, X'00000000', X'ffffffff', 1 -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 1, 1, 0 -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 1, 2, 1 -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 2, 1, 0 -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 2, 1, 1 -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 3, 3, 0 -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 3, 4, 1 -); diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 76bb21bea..000000000 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules deleted file mode 100644 index af0f25209..000000000 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow icmp in local net --A INPUT -i eth1 -p icmp -j ACCEPT --A OUTPUT -o eth1 -p icmp -j ACCEPT - -COMMIT diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf deleted file mode 100644 index b3a7bc0de..000000000 --- a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - plugins { - sql { - database = sqlite:///etc/ipsec.d/ipsec.db - } - } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql - install_routes = no -} diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf deleted file mode 100644 index a7fa09213..000000000 --- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql deleted file mode 100644 index 3a0fe67bf..000000000 --- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql +++ /dev/null @@ -1,152 +0,0 @@ -/* Identities */ - -INSERT INTO identities ( - type, data -) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ - 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ - 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ - 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* moon.strongswan.org */ - 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* sun.strongswan.org */ - 2, X'73756e2e7374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ - 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' - ); - -/* Certificates */ - -INSERT INTO certificates ( - type, keytype, data -) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ - 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' -); - -INSERT INTO certificates ( - type, keytype, data -) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ - 1, 1, X'3082042030820308a003020102020116300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373039353930345a170d3134303832363039353930345a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c10203010001a38201193082011530090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041456d69e2fdaa8a1cd195c2353e7c5b67096e30bfb306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100a37ecb613f40c31d0c2bf9c0159a4f26a52bd04cbe3b952472c771ee7774d12966a6241163c2a6b915c20509c312074bb2d777b254234f4a49120585d29cf1c9b9c8e9e3b360084b7e16abb7e5f58544623466d78e0826dace08e7e2b7d9b54890d12a96c62777fe85f68a3964d3b4fde4d3aee2d97e435eff372104629efd9ecc69c57095859609b32d055e0ad5de5d19c45182943d5a2bc39666ad361f7096c7034a04869371c991bc67abaf7954def351b0d6014bd65a15796c80e394047fc724fd029a88c62c95551ba57d8ac4ed4d391dbb7a1a002ba0028ba7aa89ba9f7e4f14002928ca23027485feceb98c90f1366d5474bb00e866f93ff91bf8c618' -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 1, 1 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 1, 2 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 1, 3 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 2, 5 -); - -INSERT INTO certificate_identity ( - certificate, identity -) VALUES ( - 2, 6 -); - -/* Private Keys */ - -INSERT INTO private_keys ( - type, data -) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ - 1, X'308204a40201000282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c102030100010282010031f9d618cddb393d1d5825426713016cdc5227b970b321acff8cf66b42f0ede3702c30158e8ec1f9db314f031f2d0632a1e0e6507c6fdf545153f01cb0338c3c3f11291cea9819b381048494ecc492ecbd39de3e01ecb048325e75dfee045512a2643e885fcbe672d140877885105e2325390ef183b883321c0d6be51d592b79dfd0f3b522a29509f6c5d3d98c59cc4f4fe9aef978340ffc667e78fd27560eae7245d2d66fa10ad55ef2277ebcec65d1d63cc6b60cbb4d7ba77142554d8817ed174fd539fa8160fc60043f45f4f40dd5989b85874a049bf7f356f250591f6cb2de183e94d8287d712f4df0643b94325b7d4b22bd2d095eb384921c63d33168a502818100f6c92d6977e13cb7b41028dd79010eab910ab83ac2be248a08eb8057804348eb1dc3afb92d67d855bfe891ef0def494bdd109b95c8f5a4e296522d8efd2a4425d0d176e8b0da033d717b77fdb0a14931c2e13b08c7137f0dbf4e1a0ef6919e2c458e40bbecf20004180705e1156bb1d7de09939a8ad096e5346f49e5032a643702818100e7ee610601d43043bea5d304e6502249ce4f70d4de8e903a8fe3a2902878fc7157cb70bf74bc7e0acd7e7a0c3ae1cf2255a22f344a3b9fb13d2347b75ea6a73d15e1327051acffb7f4e56c58f999d7c2e2d878bce0ac09ca2f18d759775c93aa698a45c0c554b99a7147475f1b993fe46c13fed12499006094e806de6db350c702818100e26dd577d6a1579769e405caa7329c26388f3057e1c49a3bf85133d19502a74dea6258c1bbf272e0c292fe0aebab28822dd4061cd964e123712ef75421defce601819eeb8310953674000829413dcaad9894151949a70ec52b48dac9eddbcfd7e8fdcb5161e6ecb2d4e4e4b50f755f98a3c5ffa325489b9ab39084a9564d37e302818047f5087b21a42099541404a55783732fece76ebd4c9374a206b47c62377c59ee1c6c0cfe098cd59a2a695c1a61465fca6a41185e23cddddcd27818af0699b3f75acb74a7ae5f7b332ab2e76baf7d1098f162720b3fb580900f0ea8f9a3f3c008b617e54e4aaadfaed0086a5752abb84bf95036d5d281f9c0fd5203978cf77e4f028181009b29e83640d4b6aa13c81bd79aa890d13aec66c5bff4eddece05cb60320c55bca86a5bd856e364b2809e7d7f2cf94231416927dc39d7f88242b211ac15a38e7fabaca6210537ed1e2f178096f59dc27da21bc09a7b2dc1d5cc7d3bb28fc736c66e6ba19609208b254e4c782462673936445892f4a21a2cfe2066776fe255ce89' -); - -INSERT INTO private_key_identity ( - private_key, identity -) VALUES ( - 1, 5 -); - -INSERT INTO private_key_identity ( - private_key, identity -) VALUES ( - 1, 6 -); - -/* Configurations */ - -INSERT INTO ike_configs ( - local, remote -) VALUES ( - 'PH_IP_SUN', 'PH_IP_MOON' -); - -INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike, dpd_delay -) VALUES ( - 'net-net', 1, 5, 4, 0, 0 -); - -INSERT INTO child_configs ( - name, updown -) VALUES ( - 'net-net', 'ipsec _updown iptables' -); - -INSERT INTO peer_config_child_config ( - peer_cfg, child_cfg -) VALUES ( - 1, 1 -); - -INSERT INTO traffic_selectors ( - type, start_addr, end_addr -) VALUES ( - 7, X'0a010000', X'0a01ffff' -); - -INSERT INTO traffic_selectors ( - type, start_addr, end_addr -) VALUES ( - 7, X'00000000', X'ffffffff' -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 1, 2, 0 -); - -INSERT INTO child_config_traffic_selector ( - child_cfg, traffic_selector, kind -) VALUES ( - 1, 1, 1 -); - diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 76bb21bea..000000000 --- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 930b72578..000000000 --- a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,10 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - plugins { - sql { - database = sqlite:///etc/ipsec.d/ipsec.db - } - } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql -} diff --git a/testing/tests/sql/shunt-policies/posttest.dat b/testing/tests/sql/shunt-policies/posttest.dat deleted file mode 100644 index 329a572b2..000000000 --- a/testing/tests/sql/shunt-policies/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat deleted file mode 100644 index b62da613c..000000000 --- a/testing/tests/sql/shunt-policies/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::sleep 1 -moon::ipsec up net-net diff --git a/testing/tests/sql/shunt-policies/test.conf b/testing/tests/sql/shunt-policies/test.conf deleted file mode 100644 index 646b8b3e6..000000000 --- a/testing/tests/sql/shunt-policies/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/swanctl/ip-pool-db/description.txt b/testing/tests/swanctl/ip-pool-db/description.txt new file mode 100755 index 000000000..9774e573b --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv2 configuration payload +by using the leftsourceip=%config parameter. The gateway moon assigns virtual IP +addresses from a pool named bigpool that was created in an SQL database by the command +ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0. +

+The updown script automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnels, carol and dave then ping the client +alice behind the gateway moon. The source IP addresses of the two pings will be the +virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat new file mode 100755 index 000000000..f76c35689 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat @@ -0,0 +1,23 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES +moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=big_pool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_req=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..8f87a52e9 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + dh_exponent_ansi_x9_42 = no + + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici +} diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0bb341486 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..8f87a52e9 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + dh_exponent_ansi_x9_42 = no + + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici +} diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..24d2f8645 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..2f632288d --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + dh_exponent_ansi_x9_42 = no + + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown sqlite attr-sql vici + + plugins { + attr-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } +} + +pool { + load = sqlite +} diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d05dea005 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = big_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/ip-pool-db/posttest.dat b/testing/tests/swanctl/ip-pool-db/posttest.dat new file mode 100755 index 000000000..2644b3941 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/posttest.dat @@ -0,0 +1,11 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ipsec pool --del big_pool 2> /dev/null +moon::ipsec pool --del dns 2> /dev/null +moon::ipsec pool --del nbns 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat new file mode 100755 index 000000000..0607f6715 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/pretest.dat @@ -0,0 +1,21 @@ +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::sleep 1 +moon::swanctl --load-conns 2> /dev/null +carol::swanctl --load-conns 2> /dev/null +dave::swanctl --load-conns 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +carol::swanctl --load-creds 2> /dev/null +dave::swanctl --load-creds 2> /dev/null +carol::swanctl --initiate --child home 2> /dev/null +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/test.conf b/testing/tests/swanctl/ip-pool-db/test.conf new file mode 100755 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/swanctl/ip-pool-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/swanctl/ip-pool/description.txt b/testing/tests/swanctl/ip-pool/description.txt new file mode 100755 index 000000000..23cab8e8f --- /dev/null +++ b/testing/tests/swanctl/ip-pool/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv2 configuration payload +by using the leftsourceip=%config parameter. The gateway moon assigns virtual +IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously +increasing order. +

+The updown script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, carol and dave then ping +the client alice behind the gateway moon. The source IP addresses of the two +pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat new file mode 100755 index 000000000..a16ed01a6 --- /dev/null +++ b/testing/tests/swanctl/ip-pool/evaltest.dat @@ -0,0 +1,15 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_req=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0bb341486 --- /dev/null +++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..24d2f8645 --- /dev/null +++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..aa31d0f26 --- /dev/null +++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/swanctl/ip-pool/posttest.dat b/testing/tests/swanctl/ip-pool/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/ip-pool/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/swanctl/ip-pool/pretest.dat new file mode 100755 index 000000000..d1afdf0be --- /dev/null +++ b/testing/tests/swanctl/ip-pool/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::swanctl --load-conns 2> /dev/null +carol::swanctl --load-conns 2> /dev/null +dave::swanctl --load-conns 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +carol::swanctl --load-creds 2> /dev/null +dave::swanctl --load-creds 2> /dev/null +moon::swanctl --load-pools 2> /dev/null +carol::swanctl --initiate --child home 2> /dev/null +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool/test.conf b/testing/tests/swanctl/ip-pool/test.conf new file mode 100755 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/swanctl/ip-pool/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/swanctl/net2net-cert/description.txt b/testing/tests/swanctl/net2net-cert/description.txt new file mode 100755 index 000000000..345769a5f --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/swanctl/net2net-cert/evaltest.dat b/testing/tests/swanctl/net2net-cert/evaltest.dat new file mode 100755 index 000000000..cdbecd553 --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2f0fd9da1 --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + mobike = no + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e4c855621 --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + mobike = no + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/net2net-cert/posttest.dat b/testing/tests/swanctl/net2net-cert/posttest.dat new file mode 100755 index 000000000..30d10b555 --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/swanctl/net2net-cert/pretest.dat new file mode 100755 index 000000000..2c4ba6ca2 --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +sun::service charon start 2> /dev/null +moon::swanctl --load-conns 2> /dev/null +sun::swanctl --load-conns 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +sun::swanctl --load-creds 2> /dev/null +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-cert/test.conf b/testing/tests/swanctl/net2net-cert/test.conf new file mode 100755 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/swanctl/net2net-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/swanctl/net2net-route/description.txt b/testing/tests/swanctl/net2net-route/description.txt new file mode 100755 index 000000000..20640ef85 --- /dev/null +++ b/testing/tests/swanctl/net2net-route/description.txt @@ -0,0 +1,9 @@ +A tunnel that will connect the subnets behind the gateways moon +and sun, respectively, is preconfigured by installing a %trap eroute +on gateway moon by means of the setting auto=route in ipsec.conf. +A subsequent ping issued by client alice behind gateway moon to +bob located behind gateway sun triggers the %trap eroute and +leads to the automatic establishment of the subnet-to-subnet tunnel. +

+The updown script automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/swanctl/net2net-route/evaltest.dat b/testing/tests/swanctl/net2net-route/evaltest.dat new file mode 100755 index 000000000..04df90bea --- /dev/null +++ b/testing/tests/swanctl/net2net-route/evaltest.dat @@ -0,0 +1,7 @@ +moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1dfcfd179 --- /dev/null +++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + start_action = trap + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + mobike = no + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e4c855621 --- /dev/null +++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + mobike = no + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/net2net-route/posttest.dat b/testing/tests/swanctl/net2net-route/posttest.dat new file mode 100755 index 000000000..30d10b555 --- /dev/null +++ b/testing/tests/swanctl/net2net-route/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat new file mode 100755 index 000000000..61e33fa24 --- /dev/null +++ b/testing/tests/swanctl/net2net-route/pretest.dat @@ -0,0 +1,9 @@ +sun::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules +sun::service charon start 2> /dev/null +moon::service charon start 2> /dev/null +sun::swanctl --load-creds 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +sun::swanctl --load-conns 2> /dev/null +moon::swanctl --load-conns 2> /dev/null +alice::ping -c 3 10.2.0.10 diff --git a/testing/tests/swanctl/net2net-route/test.conf b/testing/tests/swanctl/net2net-route/test.conf new file mode 100755 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/swanctl/net2net-route/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/swanctl/net2net-start/description.txt b/testing/tests/swanctl/net2net-start/description.txt new file mode 100755 index 000000000..9c67ed605 --- /dev/null +++ b/testing/tests/swanctl/net2net-start/description.txt @@ -0,0 +1,6 @@ +A tunnel connecting the subnets behind the gateways moon and sun, +respectively, is automatically established by means of the setting +auto=start in ipsec.conf. The connection is tested by client alice +behind gateway moon pinging the client bob located behind +gateway sun. The updown script automatically inserts iptables-based +firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/swanctl/net2net-start/evaltest.dat b/testing/tests/swanctl/net2net-start/evaltest.dat new file mode 100755 index 000000000..cdbecd553 --- /dev/null +++ b/testing/tests/swanctl/net2net-start/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6770f6ab7 --- /dev/null +++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + start_action = start + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + mobike = no + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e4c855621 --- /dev/null +++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + mobike = no + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/net2net-start/posttest.dat b/testing/tests/swanctl/net2net-start/posttest.dat new file mode 100755 index 000000000..30d10b555 --- /dev/null +++ b/testing/tests/swanctl/net2net-start/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/swanctl/net2net-start/pretest.dat new file mode 100755 index 000000000..0560092c5 --- /dev/null +++ b/testing/tests/swanctl/net2net-start/pretest.dat @@ -0,0 +1,9 @@ +sun::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules +sun::service charon start 2> /dev/null +moon::service charon start 2> /dev/null +sun::swanctl --load-creds 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +sun::swanctl --load-conns 2> /dev/null +moon::swanctl --load-conns 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/swanctl/net2net-start/test.conf b/testing/tests/swanctl/net2net-start/test.conf new file mode 100755 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/swanctl/net2net-start/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/swanctl/rw-cert/description.txt new file mode 100755 index 000000000..6af7a39ae --- /dev/null +++ b/testing/tests/swanctl/rw-cert/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-cert/evaltest.dat b/testing/tests/swanctl/rw-cert/evaltest.dat new file mode 100755 index 000000000..bb5e08bf4 --- /dev/null +++ b/testing/tests/swanctl/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0ba243300 --- /dev/null +++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a3420a479 --- /dev/null +++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..75f18475c --- /dev/null +++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..861d65ab6 --- /dev/null +++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} diff --git a/testing/tests/swanctl/rw-cert/posttest.dat b/testing/tests/swanctl/rw-cert/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/rw-cert/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/swanctl/rw-cert/pretest.dat new file mode 100755 index 000000000..3fdf01d81 --- /dev/null +++ b/testing/tests/swanctl/rw-cert/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::swanctl --load-conns 2> /dev/null +carol::swanctl --load-conns 2> /dev/null +dave::swanctl --load-conns 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +carol::swanctl --load-creds 2> /dev/null +dave::swanctl --load-creds 2> /dev/null +carol::swanctl --initiate --child home 2> /dev/null +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-cert/test.conf b/testing/tests/swanctl/rw-cert/test.conf new file mode 100755 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/swanctl/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/swanctl/rw-psk-fqdn/description.txt b/testing/tests/swanctl/rw-psk-fqdn/description.txt new file mode 100755 index 000000000..47f6968ae --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and Fully Qualified Domain Names. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat new file mode 100755 index 000000000..bb5e08bf4 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..772f18a3b --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c113620b3 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,41 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = carol@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + secret = 0x16964066a10de938bdb2ab7864fe4459cab1 + } +} + diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..772f18a3b --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..928fd04c0 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = dave@strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} + +secrets { + + ike-moon { + id = moon.strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..772f18a3b --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8cae3e820 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,41 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} + +secrets { + + ike-carol { + id = carol@strongswan.org + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = dave@strongswan.org + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat new file mode 100755 index 000000000..2018f5d95 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::swanctl --load-conns 2> /dev/null +carol::swanctl --load-conns 2> /dev/null +dave::swanctl --load-conns 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +carol::swanctl --load-creds 2> /dev/null +dave::swanctl --load-creds 2> /dev/null +carol::swanctl --initiate --child home 2> /dev/null +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-fqdn/test.conf b/testing/tests/swanctl/rw-psk-fqdn/test.conf new file mode 100755 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-fqdn/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/swanctl/rw-psk-ipv4/description.txt b/testing/tests/swanctl/rw-psk-ipv4/description.txt new file mode 100755 index 000000000..b4aaa6a6a --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv4 addresses. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat new file mode 100755 index 000000000..142e88e61 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=192.168.0.100 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=192.168.0.200 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.100 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.200 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..772f18a3b --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bd00fc32c --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = 192.168.0.100 + } + remote { + auth = psk + id = 192.168.0.1 + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} + +secrets { + + ike-moon { + id = 192.168.0.1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} + diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..772f18a3b --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b30790b46 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = 192.168.0.200 + } + remote { + auth = psk + id = 192.168.0.1 + } + children { + home { + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} + +secrets { + + ike-moon { + id = 192.168.0.1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..772f18a3b --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..098b3c0ab --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = psk + } + remote { + auth = psk + } + children { + net { + local_ts = 10.1.0.0/16 + + start_action = none + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 10m + esp_proposals = aes128gcm128-modp2048 + } + } + + version = 2 + reauth_time = 60m + rekey_time = 20m + proposals = aes128-sha256-modp2048 + } +} + +secrets { + + ike-carol { + id = 192.168.0.100 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-dave { + id = 192.168.0.200 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat new file mode 100755 index 000000000..2018f5d95 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::swanctl --load-conns 2> /dev/null +carol::swanctl --load-conns 2> /dev/null +dave::swanctl --load-conns 2> /dev/null +moon::swanctl --load-creds 2> /dev/null +carol::swanctl --load-creds 2> /dev/null +dave::swanctl --load-creds 2> /dev/null +carol::swanctl --initiate --child home 2> /dev/null +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-ipv4/test.conf b/testing/tests/swanctl/rw-psk-ipv4/test.conf new file mode 100755 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ipv4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf index 73646f8db..2f104f53a 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf @@ -2,5 +2,12 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf index 73646f8db..2f104f53a 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf @@ -2,5 +2,12 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf index 3975f09a9..51425ac98 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf @@ -2,12 +2,18 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes + phase2_tnc_method = tnc + } + eap-tnc { + protocol = tnccs-1.1 } } } diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf index 4cc205cf7..4c770388d 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf index ac469590c..df385d55b 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql index 2bb7e7924..8b36df5e3 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf index 56c6b9f57..4eeff496c 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index 145ad9d2d..7c27dbd71 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf index 4cc205cf7..4c770388d 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf index 5dbee558f..5424f4ca2 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf index 4cc205cf7..4c770388d 100644 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf index 5dbee558f..5424f4ca2 100644 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf index 2fe4cf001..3037d0082 100644 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf @@ -2,12 +2,18 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes + phase2_tnc_method = tnc + } + eap-tnc { + protocol = tnccs-1.1 } } } diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf index ced332cc4..20c0928b9 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de, en } diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf index 70a1b07e6..64a25b405 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + multiple_authentication=no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru, fr, en } diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf index 59dce1874..7ee2ead8c 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } tnc-imv { recommendation_policy = all } diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf index f202bbfa8..c0e5e9476 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf index 996169add..4c31a78f6 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru , de, en } diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf index 3e6bc65a6..46c736700 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf index 18e715785..d71893aad 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf @@ -2,10 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf index 18e715785..d71893aad 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf @@ -2,10 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf index 602979cf6..768138888 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf @@ -2,15 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-os-pts/description.txt b/testing/tests/tnc/tnccs-20-os-pts/description.txt new file mode 100644 index 000000000..0ade4ba30 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/description.txt @@ -0,0 +1,22 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +state of carol's and dave's operating system via the TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs +exchange PA-TNC attributes with the OS and Attestation IMVs via the IF-M 1.0 measurement +protocol defined by RFC 5792 PA-TNC. +

+carol sends information on her operating system consisting of the PA-TNC attributes +Product Information, String Version, and Device ID up-front +to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an +Attribute Request PA-TNC attribute. dave is instructed to do a reference +measurement on all files in the /bin directory. carol is then prompted to +measure a couple of individual files and the files in the /bin directory as +well as to get metadata on the /etc/tnc_confg configuration file. +

+carol passes the health test and dave fails because IP forwarding is +enabled. Based on these assessments which are communicated to the IMCs using the +Assessment Result PA-TNC attribute, the clients are connected by gateway moon +to the "rw-allow" and "rw-isolate" subnets, respectively. +

diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat new file mode 100644 index 000000000..f9bb03357 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -0,0 +1,20 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES +moon:: cat /var/log/daemon.log::added group membership 'allow'::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES +moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d17473db1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f64fe6a0c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + + multiple_authentication = no +} + +libimcv { + plugins { + imc-os { + push_info = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..d459bfc6c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..075919aec --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + tnc-imc { + preferred_language = de + } + } +} + +libimcv { + plugins { + imc-os { + push_info = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..bc8b2d8f9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql new file mode 100644 index 000000000..8b36df5e3 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql @@ -0,0 +1,29 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 16, 2, 0 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e81908f31 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -0,0 +1,31 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + + multiple_authentication = no + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + plugins { + imv-attestation { + hash_algorithm = sha1 + } + } +} + +attest { + load = random nonce openssl sqlite + database = sqlite:///etc/pts/config.db +} + diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..6507baaa1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat new file mode 100644 index 000000000..48514d6e0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +carol::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat new file mode 100644 index 000000000..49ea0416e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -0,0 +1,18 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +dave::ipsec start +carol::ipsec start +dave::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 +moon::ipsec attest --sessions +moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf new file mode 100644 index 000000000..a8a05af19 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt index 941113434..c4a2c90c4 100644 --- a/testing/tests/tnc/tnccs-20-os/description.txt +++ b/testing/tests/tnc/tnccs-20-os/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel +to determine the state of carol's and dave's operating system via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs +exchange PA-TNC attributes with the OS IMV via the IF-M 1.0 measurement protocol +defined by RFC 5792 PA-TNC. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, Numeric Version, Operational Status, Forwarding Enabled, Factory Default Password Enabled diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 21a7278d7..b9f094ffd 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf index 34941e52c..4f5993e07 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf index 49f778f5b..4ed358dee 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql index 6682a5a1c..6e7e10feb 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ @@ -27,7 +27,7 @@ INSERT INTO identities ( INSERT INTO sessions ( time, connection, identity, device, product, rec ) VALUES ( - NOW, 1, 1, 1, 28, 0 + NOW, 1, 1, 1, 42, 0 ); /* Results */ diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index 3e017e905..ed81c1778 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 0ac88dd8d..d991ee325 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -15,6 +15,6 @@ carol::sleep 1 carol::ipsec up home dave::ipsec up home dave::sleep 1 -moon::ipsec attest --packages --product 'Debian 7.2 x86_64' +moon::ipsec attest --packages --product 'Debian 7.4 x86_64' moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/description.txt b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt new file mode 100644 index 000000000..a178211e1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection each to the policy enforcement +point moon. At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. carol and dave then set up an +EAP-TTLS tunnel each via gateway moon to the policy decision point alice +authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak +client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within +the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface defined by RFC 5793 PB-TNC. The communication between IMCs and IMVs +is based on the IF-M protocol defined by RFC 5792 PA-TNC. +

+carol passes the health test and dave fails. Based on these measurements the clients +are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat new file mode 100644 index 000000000..9a477bd04 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -0,0 +1,29 @@ +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/daemon.log::collected 1 SWID tag::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES +moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..626000612 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,26 @@ +WSGIPythonPath /var/www/tnc + + + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + + + Order deny,allow + Allow from all + + + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + Alias /static/ /var/www/tnc/static/ + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined + diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..f2e611952 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..11d45cd14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem + +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..8adc45915 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 5, X'64617665' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 42, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5e7b7b556 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=0 +TEMPLATE_DEBUG=0 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////var/www/tnc/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan +ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..a60f1dead --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -0,0 +1,35 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libimcv { + debug_level = 3 + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..ebe88bc99 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..6e6430e4d --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + eap_identity=carol + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23d79cf2e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c040f0997 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 32754 + max_message_size = 32722 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a954883a4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..4846af279 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + eap_identity=dave + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..02e0c9963 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..cd9efeecb --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,30 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 32754 + max_message_size = 32722 + } + } +} + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-swid { + swid_directory = /usr/share + swid_pretty = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a954883a4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..02ada5665 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightsendcert=never + right=%any + eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d32951866 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + #server = PH_IP6_ALICE + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat new file mode 100644 index 000000000..1e5c3f8cd --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -0,0 +1,9 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::ipsec stop +alice::service apache2 stop +alice::rm /etc/pts/config.db +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat new file mode 100644 index 000000000..4ba63d1c5 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -0,0 +1,21 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan +alice::service apache2 start +alice::ipsec start +moon::ipsec start +dave::ipsec start +carol::ipsec start +carol::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf new file mode 100644 index 000000000..c4ca1a19f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt new file mode 100644 index 000000000..45a77e900 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt @@ -0,0 +1,9 @@ +The PT-TLS (RFC 6876) clients carol and dave set up a connection each to the policy decision +point (PDP) alice. carol uses password-based SASL PLAIN client authentication during the +PT-TLS negotiation phase and dave uses certificate-based TLS client authentication during the +TLS setup phase. +

+During the ensuing PT-TLS data transport phase the OS and SWID IMC/IMV pairs +loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages +embedded in PB-TNC (RFC 5793) batches. The SWID IMC on carol is requested to deliver +a concise SWID Tag ID Inventory whereas dave must send a full SWID Tag Inventory. diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat new file mode 100644 index 000000000..9327f51bf --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -0,0 +1,19 @@ +dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES +dave:: cat /var/log/auth.log::collected 372 SWID tags::YES +carol::cat /var/log/auth.log::received SASL Success result::YES +carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/auth.log::collected 1 SWID tag::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES +alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES +alice::cat /var/log/daemon.log::certificate status is good::YES +alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES +alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES +alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::1 SWID tag target::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..626000612 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,26 @@ +WSGIPythonPath /var/www/tnc + + + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + + + Order deny,allow + Allow from all + + + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + Alias /static/ /var/www/tnc/static/ + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined + diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..7b2118f7e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tls 2, tnc 2, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..11d45cd14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem + +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..1586214d8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# open loopback interface +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT + +# allow PT-TLS +-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..14f9d7de6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 4, X'64617665407374726f6e677377616e2e6f7267' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 42, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5e7b7b556 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=0 +TEMPLATE_DEBUG=0 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////var/www/tnc/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan +ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..eb807b189 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -0,0 +1,29 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..ebe88bc99 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options new file mode 100644 index 000000000..d485e9bf7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options @@ -0,0 +1,6 @@ +--connect aaa.strongswan.org +--client carol +--secret "Ar3etTnp" +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..29fdf0235 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options new file mode 100644 index 000000000..ca3ca3aa1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options @@ -0,0 +1,7 @@ +--connect aaa.strongswan.org +--client dave@strongswan.org +--key /etc/ipsec.d/private/daveKey.pem +--cert /etc/ipsec.d/certs/daveCert.pem +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..0a7f048bf --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-swid { + swid_directory = /usr/share + swid_pretty = yes + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat new file mode 100644 index 000000000..b7da857a7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -0,0 +1,9 @@ +carol::ip route del 10.1.0.0/16 via 192.168.0.1 +dave::ip route del 10.1.0.0/16 via 192.168.0.1 +winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 +alice::ipsec stop +alice::service apache2 stop +alice::rm /etc/pts/config.db +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat new file mode 100644 index 000000000..ca8f47db0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -0,0 +1,23 @@ +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +dave::cat /etc/tnc_config +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan +alice::service apache2 start +alice::ipsec start +alice::sleep 1 +winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 +dave::ip route add 10.1.0.0/16 via 192.168.0.1 +dave::cat /etc/pts/options +dave::ipsec pt-tls-client --optionsfrom /etc/pts/options +carol::ip route add 10.1.0.0/16 via 192.168.0.1 +carol::cat /etc/pts/options +carol::ipsec pt-tls-client --optionsfrom /etc/pts/options +carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf new file mode 100644 index 000000000..0887e4d09 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-pdp/description.txt b/testing/tests/tnc/tnccs-20-pdp/description.txt deleted file mode 100644 index a178211e1..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The roadwarriors carol and dave set up a connection each to the policy enforcement -point moon. At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. carol and dave then set up an -EAP-TTLS tunnel each via gateway moon to the policy decision point alice -authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak -client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within -the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 -client-server interface defined by RFC 5793 PB-TNC. The communication between IMCs and IMVs -is based on the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat deleted file mode 100644 index 505a4d079..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat +++ /dev/null @@ -1,22 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES -moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES -moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES -moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 6f673dcc5..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn aaa - leftcert=aaaCert.pem - leftid=aaa.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem deleted file mode 100644 index 6aeb0c0b1..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R -RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm -Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W -Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF -AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni -wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg -EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y -Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa -yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp -iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 -bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d -HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr -EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 -v42sww== ------END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem deleted file mode 100644 index da8cdb051..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx -bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh -9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ -/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp -NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR -BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds -Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi -NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV -IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 -Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI -aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X -YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq -b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If -/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN -P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X -V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t -cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c -PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m -a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo -NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b -xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ -J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 -YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ -SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu -EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b ------END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 11d45cd14..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA aaaKey.pem - -carol : EAP "Ar3etTnp" -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf deleted file mode 100644 index ec4956c31..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - eap-tnc { - protocol = tnccs-2.0 - } - tnc-pdp { - server = aaa.strongswan.org - radius { - secret = gv6URkSs - } - } - } -} - -libimcv { - debug_level = 3 - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 59563730b..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - eap_identity=carol - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 23d79cf2e..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 808f1d11a..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } -} - -libimcv { - plugins { - imc-test { - command = allow - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8c27c78d2..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - eap_identity=dave - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 02e0c9963..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 96ff63ab1..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } -} - -libimcv { - plugins { - imc-test { - command = isolate - } - imc-scannner { - push_info = no - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 02ada5665..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightsendcert=never - right=%any - eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d32951866..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - #server = PH_IP6_ALICE - server = PH_IP_ALICE - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat deleted file mode 100644 index e7eecd5f4..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat deleted file mode 100644 index 32ed4d854..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -alice::ipsec start -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf deleted file mode 100644 index c4ca1a19f..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave alice" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/tnc/tnccs-20-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pt-tls/description.txt deleted file mode 100644 index 45a77e900..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The PT-TLS (RFC 6876) clients carol and dave set up a connection each to the policy decision -point (PDP) alice. carol uses password-based SASL PLAIN client authentication during the -PT-TLS negotiation phase and dave uses certificate-based TLS client authentication during the -TLS setup phase. -

-During the ensuing PT-TLS data transport phase the OS and SWID IMC/IMV pairs -loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages -embedded in PB-TNC (RFC 5793) batches. The SWID IMC on carol is requested to deliver -a concise SWID Tag ID Inventory whereas dave must send a full SWID Tag Inventory. diff --git a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat deleted file mode 100644 index 3139ca082..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES -alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES -alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES -alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES -alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES -alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-.*.swidtag::YES -alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES -alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES -alice:: cat /var/log/daemon.log::certificate status is good::YES -alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES -alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES -alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf deleted file mode 100644 index d8b84334a..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tls 2, tnc 3, imv 3" - -conn aaa - leftcert=aaaCert.pem - leftid=aaa.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem deleted file mode 100644 index 6aeb0c0b1..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R -RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm -Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W -Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF -AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni -wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg -EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y -Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa -yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp -iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 -bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d -HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr -EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 -v42sww== ------END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem deleted file mode 100644 index da8cdb051..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx -bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh -9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ -/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp -NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR -BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds -Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi -NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV -IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 -Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI -aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X -YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq -b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If -/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN -P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X -V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t -cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c -PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m -a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo -NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b -xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ -J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 -YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ -SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu -EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b ------END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 11d45cd14..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA aaaKey.pem - -carol : EAP "Ar3etTnp" -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules deleted file mode 100644 index 5b275392b..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules +++ /dev/null @@ -1,20 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow PT-TLS --A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT --A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql deleted file mode 100644 index 71592211b..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql +++ /dev/null @@ -1,61 +0,0 @@ -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 -); - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -/* Identities */ - -INSERT INTO identities ( - type, value -) VALUES ( /* dave@strongswan.org */ - 4, X'64617665407374726f6e677377616e2e6f7267' -); - -/* Sessions */ - -INSERT INTO sessions ( - time, connection, identity, device, product, rec -) VALUES ( - NOW, 1, 1, 1, 28, 0 -); - -/* Results */ - -INSERT INTO results ( - session, policy, rec, result -) VALUES ( - 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 17, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 18, 10, 86400 -); - -DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 21961d4b1..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - - plugins { - tnc-pdp { - server = aaa.strongswan.org - radius { - secret = gv6URkSs - } - } - } -} - -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - -libimcv { - database = sqlite:///etc/pts/config.db - policy_script = ipsec imv_policy_manager -} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config deleted file mode 100644 index ebe88bc99..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so -IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4a41e7ed9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index d2f6378b8..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql deleted file mode 100644 index 805c8bfd9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql +++ /dev/null @@ -1,4 +0,0 @@ -/* strongSwan SQLite database */ - -/* configuration is read from the command line */ -/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules deleted file mode 100644 index d01d0a3c9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules +++ /dev/null @@ -1,20 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow PT-TLS --A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT --A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options deleted file mode 100644 index f04e9472a..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options +++ /dev/null @@ -1,5 +0,0 @@ ---connect aaa.strongswan.org ---client carol ---secret "Ar3etTnp" ---cert /etc/ipsec.d/cacerts/strongswanCert.pem ---debug 2 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf deleted file mode 100644 index de2fea244..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - plugins { - imc-os { - push_info = yes - } - imc-swid { - #swid_directory = /usr/share - } - } -} - -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - -pt-tls-client { - load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 -} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config deleted file mode 100644 index f40174e57..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 4a41e7ed9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index d2f6378b8..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql deleted file mode 100644 index 805c8bfd9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql +++ /dev/null @@ -1,4 +0,0 @@ -/* strongSwan SQLite database */ - -/* configuration is read from the command line */ -/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules deleted file mode 100644 index d01d0a3c9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,20 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow PT-TLS --A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT --A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options deleted file mode 100644 index 46821ec73..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options +++ /dev/null @@ -1,6 +0,0 @@ ---connect aaa.strongswan.org ---client dave@strongswan.org ---key /etc/ipsec.d/private/daveKey.pem ---cert /etc/ipsec.d/certs/daveCert.pem ---cert /etc/ipsec.d/cacerts/strongswanCert.pem ---debug 2 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 39b2577ae..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - plugins { - imc-os { - push_info = no - } - } -} - -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - -pt-tls-client { - load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 -} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config deleted file mode 100644 index f40174e57..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat deleted file mode 100644 index c98df8671..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ip route del 10.1.0.0/16 via 192.168.0.1 -dave::ip route del 10.1.0.0/16 via 192.168.0.1 -winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::ipsec stop -alice::rm /etc/pts/config.db -alice::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat deleted file mode 100644 index 97ff0c1ec..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat +++ /dev/null @@ -1,19 +0,0 @@ -alice::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -carol::echo 0 > /proc/sys/net/ipv4/ip_forward -dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id -dave::cat /etc/tnc_config -alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db -alice::ipsec start -winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 -carol::ip route add 10.1.0.0/16 via 192.168.0.1 -carol::cat /etc/pts/options -carol::ipsec pt-tls-client --optionsfrom /etc/pts/options -dave::ip route add 10.1.0.0/16 via 192.168.0.1 -dave::cat /etc/pts/options -dave::ipsec pt-tls-client --optionsfrom /etc/pts/options -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pt-tls/test.conf deleted file mode 100644 index 0887e4d09..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="carol dave alice" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt index 29976509a..febf07401 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the state of carol's and dave's operating system via the +TNCCS 2.0 client-server interface compliant with RFC 5793 PB-TNC. The OS IMC +and OS IMV pair is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC +to exchange PA-TNC attributes. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, and Device ID up-front to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an @@ -14,7 +15,7 @@ to the Attestation IMV, whereas dave must be prompted by the IMV to do so measurement on all files in the /bin directory. carol is then prompted to measure a couple of individual files and the files in the /bin directory as well as to get metadata on the /etc/tnc_confg configuration file. -

+

Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements, the mandatory default being ecp256, with the strongswan.conf option mandatory_dh_groups = no no ECC support is required. diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat index 5eb944055..f9bb03357 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf index 72bf2c7c9..53bb9dfaa 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index 6f71994ae..25c27be8b 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de } diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql index 2bb7e7924..8b36df5e3 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index e76598b9a..07d620c0e 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt index e78a70091..e532ab2cf 100644 --- a/testing/tests/tnc/tnccs-20-pts/description.txt +++ b/testing/tests/tnc/tnccs-20-pts/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel +to determine the state of carol's and dave's operating system via the TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs +exchange PA-TNC attributes with the OS IMV via the IF-M 1.0 measurement protocol +defined by RFC 5792 PA-TNC. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, and Device ID up-front to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat index 5eb944055..2d18138e4 100644 --- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat @@ -2,19 +2,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed' carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES -moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - allow::YES +moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf index e6046833c..f64fe6a0c 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index 3236a18fa..79c79b87f 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -2,11 +2,9 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de } diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql index 2bb7e7924..8b36df5e3 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index 0298a5151..e81908f31 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config index 6507baaa1..4865036f4 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config @@ -1,4 +1,3 @@ #IMV configuration file for strongSwan client -IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-20-server-retry/description.txt b/testing/tests/tnc/tnccs-20-server-retry/description.txt index b37fbd445..f9ee7b803 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/description.txt +++ b/testing/tests/tnc/tnccs-20-server-retry/description.txt @@ -1,10 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The IMC and IMV communicate are using the IF-M -protocol defined by RFC 5792 PA-TNC. +

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The IMCs and IMVs exchange +messages over the IF-M protocol defined by RFC 5792 PA-TNC.

The first time the TNC clients carol and dave send their measurements, TNC server moon requests a handshake retry. In the retry carol succeeds diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf index 6f145ab0b..5e661c36e 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf index fce949901..6b86fe897 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru , de, en } diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf index 3e6bc65a6..46c736700 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-tls/description.txt b/testing/tests/tnc/tnccs-20-tls/description.txt index a032d2d05..f193bd27b 100644 --- a/testing/tests/tnc/tnccs-20-tls/description.txt +++ b/testing/tests/tnc/tnccs-20-tls/description.txt @@ -1,9 +1,10 @@ The roadwarriors carol and dave set up a connection each to gateway moon, both ends doing certificate-based EAP-TLS authentication only. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The IMC and IMV communicate are using the IF-M -protocol defined by RFC 5792 PA-TNC. +

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The IMCs and IMVs exchange +messages over the IF-M protocol defined by RFC 5792 PA-TNC.

carol passes the health test and dave fails. Based on these measurements the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf index ada13a325..1cf2f0e72 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf index 0870ca667..0e63eaba4 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf index bc1d421c1..1a4dc8521 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf @@ -2,25 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { request_peer_auth = yes phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } - } -} - -libimcv { - plugins { - imv-scanner { - closed_port_policy = no - tcp_ports = 80 443 - udp_ports = - } } } diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf index 6d8c10eab..292bfa53f 100644 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf index 1e5f50b05..75f6d73da 100644 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru, pl , de } diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf index 1a0cc202e..94e1ee926 100644 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-dynamic/description.txt b/testing/tests/tnc/tnccs-dynamic/description.txt index 21e9bc675..86f6323c3 100644 --- a/testing/tests/tnc/tnccs-dynamic/description.txt +++ b/testing/tests/tnc/tnccs-dynamic/description.txt @@ -1,6 +1,7 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. +

In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of TNC client carol via the TNCCS 1.1 client-server interface and of TNC client dave via the TNCCS 2.0 client-server interface. TNC server diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf index f4ea047ec..c8e5e8ad3 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf @@ -10,6 +10,11 @@ charon { eap-tnc { protocol = tnccs-1.1 } + } +} + +libimcv { + plugins { imc-test { command = allow } diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf index 4c738ce42..9fc9cecee 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf @@ -10,6 +10,11 @@ charon { eap-tnc { protocol = tnccs-2.0 } + } +} + +libimcv { + plugins { imc-test { command = isolate } diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf index 0b1cf10eb..0d547cbe0 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf @@ -11,6 +11,7 @@ charon { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes + phase2_tnc_method = tnc } eap-tnc { protocol = tnccs-dynamic -- cgit v1.2.3