From e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 21 Nov 2017 10:22:31 +0100 Subject: New upstream version 5.6.1 --- testing/tests/af-alg/alg-camellia/description.txt | 6 +- .../alg-camellia/hosts/carol/etc/strongswan.conf | 11 +- .../alg-camellia/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/af-alg/alg-camellia/posttest.dat | 4 +- testing/tests/af-alg/alg-camellia/pretest.dat | 4 +- .../af-alg/rw-cert/hosts/carol/etc/strongswan.conf | 12 +- .../af-alg/rw-cert/hosts/dave/etc/strongswan.conf | 12 +- .../af-alg/rw-cert/hosts/moon/etc/strongswan.conf | 12 +- testing/tests/af-alg/rw-cert/posttest.dat | 6 +- testing/tests/af-alg/rw-cert/pretest.dat | 6 +- .../tests/gcrypt-ikev1/alg-serpent/description.txt | 6 +- .../alg-serpent/hosts/carol/etc/strongswan.conf | 11 +- .../alg-serpent/hosts/moon/etc/strongswan.conf | 11 +- .../tests/gcrypt-ikev1/alg-serpent/posttest.dat | 4 +- testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat | 10 +- .../tests/gcrypt-ikev1/alg-twofish/description.txt | 6 +- .../alg-twofish/hosts/carol/etc/strongswan.conf | 11 +- .../alg-twofish/hosts/moon/etc/strongswan.conf | 11 +- .../tests/gcrypt-ikev1/alg-twofish/posttest.dat | 4 +- testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat | 8 +- .../gcrypt-ikev2/alg-camellia/description.txt | 7 +- .../tests/gcrypt-ikev2/alg-camellia/evaltest.dat | 10 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 22 - .../alg-camellia/hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-camellia/hosts/moon/etc/ipsec.conf | 21 - .../alg-camellia/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/gcrypt-ikev2/alg-camellia/posttest.dat | 5 +- .../tests/gcrypt-ikev2/alg-camellia/pretest.dat | 8 +- testing/tests/gcrypt-ikev2/alg-camellia/test.conf | 4 + testing/tests/gcrypt-ikev2/rw-cert/description.txt | 8 +- testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat | 12 +- .../rw-cert/hosts/carol/etc/ipsec.conf | 22 - .../rw-cert/hosts/carol/etc/strongswan.conf | 7 +- .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 27 + .../gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf | 22 - .../rw-cert/hosts/dave/etc/strongswan.conf | 7 +- .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 27 + .../gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf | 21 - .../rw-cert/hosts/moon/etc/strongswan.conf | 7 +- .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/gcrypt-ikev2/rw-cert/posttest.dat | 8 +- testing/tests/gcrypt-ikev2/rw-cert/pretest.dat | 14 +- testing/tests/gcrypt-ikev2/rw-cert/test.conf | 4 + .../ikev1/net2net-ah/hosts/moon/etc/ipsec.conf | 3 - .../net2net-ah/hosts/moon/etc/strongswan.conf | 6 + .../ikev1/net2net-ah/hosts/sun/etc/ipsec.conf | 3 - .../ikev1/net2net-ah/hosts/sun/etc/strongswan.conf | 6 + .../ikev1/net2net-esn/hosts/moon/etc/ipsec.conf | 3 - .../net2net-esn/hosts/moon/etc/strongswan.conf | 6 + .../ikev1/net2net-esn/hosts/sun/etc/ipsec.conf | 3 - .../net2net-esn/hosts/sun/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/sun/etc/ipsec.conf | 7 +- .../hosts/sun/etc/strongswan.conf | 6 + .../rw-cert-aggressive/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-cert-aggressive/hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf | 3 - .../alg-blowfish/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf | 3 - .../alg-blowfish/hosts/moon/etc/strongswan.conf | 5 + .../ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf | 5 +- .../nat-rw-mark/hosts/sun/etc/strongswan.conf | 5 + .../ikev2/net2net-ah/hosts/moon/etc/ipsec.conf | 3 - .../net2net-ah/hosts/moon/etc/strongswan.conf | 6 + .../ikev2/net2net-ah/hosts/sun/etc/ipsec.conf | 3 - .../ikev2/net2net-ah/hosts/sun/etc/strongswan.conf | 6 + .../ikev2/net2net-esn/hosts/moon/etc/ipsec.conf | 5 +- .../net2net-esn/hosts/moon/etc/strongswan.conf | 6 + .../ikev2/net2net-esn/hosts/sun/etc/ipsec.conf | 7 +- .../net2net-esn/hosts/sun/etc/strongswan.conf | 6 + .../hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/sun/etc/ipsec.conf | 7 +- .../hosts/sun/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 6 + .../net2net-ntru-cert/hosts/sun/etc/ipsec.conf | 7 +- .../hosts/sun/etc/strongswan.conf | 6 + .../net2net-psk-dscp/hosts/moon/etc/ipsec.conf | 5 +- .../hosts/moon/etc/strongswan.conf | 5 + .../net2net-psk-dscp/hosts/sun/etc/ipsec.conf | 7 +- .../net2net-psk-dscp/hosts/sun/etc/strongswan.conf | 5 + .../ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf | 3 - .../net2net-rekey/hosts/moon/etc/strongswan.conf | 5 + .../net2net-rfc3779/hosts/moon/etc/ipsec.conf | 5 +- .../net2net-rfc3779/hosts/moon/etc/strongswan.conf | 5 + .../ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf | 7 +- .../net2net-rfc3779/hosts/sun/etc/strongswan.conf | 5 + .../redirect-active/hosts/carol/etc/ipsec.conf | 2 - .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/strongswan.conf | 5 + .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 3 - .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 5 + .../rw-eap-tls-radius/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-ttls-only/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-ttls-only/hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../rw-eap-ttls-only/hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/strongswan.conf | 5 + .../rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/strongswan.conf | 5 + .../ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf | 5 +- .../rw-mark-in-out/hosts/sun/etc/strongswan.conf | 5 + .../ikev2/trap-any/hosts/carol/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/carol/etc/strongswan.conf | 5 + .../tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/dave/etc/strongswan.conf | 5 + .../tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf | 3 - .../ikev2/trap-any/hosts/sun/etc/strongswan.conf | 5 + .../ipv6-stroke/host2host-ikev1/description.txt | 5 + .../tests/ipv6-stroke/host2host-ikev1/evaltest.dat | 7 + .../host2host-ikev1/hosts/moon/etc/ipsec.conf | 32 ++ .../host2host-ikev1/hosts/moon/etc/strongswan.conf | 5 + .../host2host-ikev1/hosts/sun/etc/ipsec.conf | 31 + .../host2host-ikev1/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/host2host-ikev1/posttest.dat | 6 + .../tests/ipv6-stroke/host2host-ikev1/pretest.dat | 9 + .../tests/ipv6-stroke/host2host-ikev1/test.conf | 25 + .../ipv6-stroke/host2host-ikev2/description.txt | 5 + .../tests/ipv6-stroke/host2host-ikev2/evaltest.dat | 7 + .../host2host-ikev2/hosts/moon/etc/ipsec.conf | 31 + .../host2host-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../host2host-ikev2/hosts/sun/etc/ipsec.conf | 30 + .../host2host-ikev2/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/host2host-ikev2/posttest.dat | 6 + .../tests/ipv6-stroke/host2host-ikev2/pretest.dat | 9 + .../tests/ipv6-stroke/host2host-ikev2/test.conf | 25 + .../ipv6-stroke/net2net-ikev1/description.txt | 6 + .../tests/ipv6-stroke/net2net-ikev1/evaltest.dat | 7 + .../net2net-ikev1/hosts/moon/etc/ipsec.conf | 31 + .../net2net-ikev1/hosts/moon/etc/strongswan.conf | 7 + .../net2net-ikev1/hosts/sun/etc/ipsec.conf | 31 + .../net2net-ikev1/hosts/sun/etc/strongswan.conf | 7 + .../tests/ipv6-stroke/net2net-ikev1/posttest.dat | 10 + .../tests/ipv6-stroke/net2net-ikev1/pretest.dat | 13 + testing/tests/ipv6-stroke/net2net-ikev1/test.conf | 25 + .../ipv6-stroke/net2net-ikev2/description.txt | 6 + .../tests/ipv6-stroke/net2net-ikev2/evaltest.dat | 7 + .../net2net-ikev2/hosts/moon/etc/ipsec.conf | 32 ++ .../net2net-ikev2/hosts/moon/etc/strongswan.conf | 7 + .../net2net-ikev2/hosts/sun/etc/ipsec.conf | 32 ++ .../net2net-ikev2/hosts/sun/etc/strongswan.conf | 7 + .../tests/ipv6-stroke/net2net-ikev2/posttest.dat | 10 + .../tests/ipv6-stroke/net2net-ikev2/pretest.dat | 13 + testing/tests/ipv6-stroke/net2net-ikev2/test.conf | 25 + .../net2net-ip4-in-ip6-ikev1/description.txt | 4 + .../net2net-ip4-in-ip6-ikev1/evaltest.dat | 7 + .../hosts/moon/etc/ipsec.conf | 31 + .../hosts/moon/etc/strongswan.conf | 7 + .../hosts/sun/etc/ipsec.conf | 31 + .../hosts/sun/etc/strongswan.conf | 7 + .../net2net-ip4-in-ip6-ikev1/posttest.dat | 6 + .../net2net-ip4-in-ip6-ikev1/pretest.dat | 9 + .../ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf | 25 + .../net2net-ip4-in-ip6-ikev2/description.txt | 4 + .../net2net-ip4-in-ip6-ikev2/evaltest.dat | 7 + .../hosts/moon/etc/ipsec.conf | 31 + .../hosts/moon/etc/strongswan.conf | 7 + .../hosts/sun/etc/ipsec.conf | 31 + .../hosts/sun/etc/strongswan.conf | 7 + .../net2net-ip4-in-ip6-ikev2/posttest.dat | 6 + .../net2net-ip4-in-ip6-ikev2/pretest.dat | 9 + .../ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf | 25 + .../net2net-ip6-in-ip4-ikev1/description.txt | 6 + .../net2net-ip6-in-ip4-ikev1/evaltest.dat | 7 + .../hosts/moon/etc/ip6tables.rules | 20 + .../hosts/moon/etc/ipsec.conf | 21 + .../hosts/moon/etc/strongswan.conf | 7 + .../hosts/sun/etc/ip6tables.rules | 20 + .../hosts/sun/etc/ipsec.conf | 21 + .../hosts/sun/etc/strongswan.conf | 7 + .../net2net-ip6-in-ip4-ikev1/posttest.dat | 10 + .../net2net-ip6-in-ip4-ikev1/pretest.dat | 13 + .../ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf | 25 + .../net2net-ip6-in-ip4-ikev2/description.txt | 6 + .../net2net-ip6-in-ip4-ikev2/evaltest.dat | 7 + .../hosts/moon/etc/ip6tables.rules | 20 + .../hosts/moon/etc/ipsec.conf | 22 + .../hosts/moon/etc/strongswan.conf | 6 + .../hosts/sun/etc/ip6tables.rules | 20 + .../hosts/sun/etc/ipsec.conf | 22 + .../hosts/sun/etc/strongswan.conf | 6 + .../net2net-ip6-in-ip4-ikev2/posttest.dat | 10 + .../net2net-ip6-in-ip4-ikev2/pretest.dat | 13 + .../ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf | 25 + testing/tests/ipv6-stroke/rw-ikev1/description.txt | 7 + testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat | 15 + .../rw-ikev1/hosts/carol/etc/ipsec.conf | 27 + .../rw-ikev1/hosts/carol/etc/strongswan.conf | 5 + .../ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf | 27 + .../rw-ikev1/hosts/dave/etc/strongswan.conf | 5 + .../ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf | 26 + .../rw-ikev1/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ipv6-stroke/rw-ikev1/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-ikev1/pretest.dat | 17 + testing/tests/ipv6-stroke/rw-ikev1/test.conf | 25 + testing/tests/ipv6-stroke/rw-ikev2/description.txt | 7 + testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat | 15 + .../rw-ikev2/hosts/carol/etc/ipsec.conf | 26 + .../rw-ikev2/hosts/carol/etc/strongswan.conf | 6 + .../ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf | 26 + .../rw-ikev2/hosts/dave/etc/strongswan.conf | 6 + .../ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf | 25 + .../rw-ikev2/hosts/moon/etc/strongswan.conf | 6 + testing/tests/ipv6-stroke/rw-ikev2/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-ikev2/pretest.dat | 17 + testing/tests/ipv6-stroke/rw-ikev2/test.conf | 25 + .../rw-ip6-in-ip4-ikev1/description.txt | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat | 15 + .../hosts/carol/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf | 21 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf | 21 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf | 20 + .../hosts/moon/etc/strongswan.conf | 5 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat | 15 + .../ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf | 25 + .../rw-ip6-in-ip4-ikev2/description.txt | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat | 15 + .../hosts/carol/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf | 21 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/dave/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf | 21 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/moon/etc/ip6tables.rules | 20 + .../rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf | 20 + .../hosts/moon/etc/strongswan.conf | 6 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat | 10 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat | 15 + .../ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf | 25 + .../tests/ipv6-stroke/rw-psk-ikev1/description.txt | 7 + .../tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat | 15 + .../rw-psk-ikev1/hosts/carol/etc/ipsec.conf | 18 + .../rw-psk-ikev1/hosts/carol/etc/ipsec.secrets | 3 + .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-ikev1/hosts/dave/etc/ipsec.conf | 19 + .../rw-psk-ikev1/hosts/dave/etc/ipsec.secrets | 3 + .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-ikev1/hosts/moon/etc/ipsec.conf | 18 + .../rw-psk-ikev1/hosts/moon/etc/ipsec.secrets | 5 + .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/rw-psk-ikev1/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat | 20 + testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf | 25 + .../tests/ipv6-stroke/rw-psk-ikev2/description.txt | 7 + .../tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat | 15 + .../rw-psk-ikev2/hosts/carol/etc/ipsec.conf | 18 + .../rw-psk-ikev2/hosts/carol/etc/ipsec.secrets | 3 + .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-ikev2/hosts/dave/etc/ipsec.conf | 19 + .../rw-psk-ikev2/hosts/dave/etc/ipsec.secrets | 3 + .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-ikev2/hosts/moon/etc/ipsec.conf | 18 + .../rw-psk-ikev2/hosts/moon/etc/ipsec.secrets | 5 + .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/rw-psk-ikev2/posttest.dat | 12 + testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat | 20 + testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf | 25 + .../ipv6-stroke/transport-ikev1/description.txt | 5 + .../tests/ipv6-stroke/transport-ikev1/evaltest.dat | 9 + .../transport-ikev1/hosts/moon/etc/ipsec.conf | 27 + .../transport-ikev1/hosts/moon/etc/strongswan.conf | 5 + .../transport-ikev1/hosts/sun/etc/ipsec.conf | 27 + .../transport-ikev1/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/transport-ikev1/posttest.dat | 6 + .../tests/ipv6-stroke/transport-ikev1/pretest.dat | 9 + .../tests/ipv6-stroke/transport-ikev1/test.conf | 25 + .../ipv6-stroke/transport-ikev2/description.txt | 5 + .../tests/ipv6-stroke/transport-ikev2/evaltest.dat | 10 + .../transport-ikev2/hosts/moon/etc/ipsec.conf | 27 + .../transport-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../transport-ikev2/hosts/sun/etc/ipsec.conf | 27 + .../transport-ikev2/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6-stroke/transport-ikev2/posttest.dat | 6 + .../tests/ipv6-stroke/transport-ikev2/pretest.dat | 9 + .../tests/ipv6-stroke/transport-ikev2/test.conf | 25 + testing/tests/ipv6/host2host-ikev1/description.txt | 11 +- testing/tests/ipv6/host2host-ikev1/evaltest.dat | 6 +- .../ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf | 32 -- .../host2host-ikev1/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 32 ++ .../ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf | 31 - .../host2host-ikev1/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 32 ++ testing/tests/ipv6/host2host-ikev1/posttest.dat | 4 +- testing/tests/ipv6/host2host-ikev1/pretest.dat | 9 +- testing/tests/ipv6/host2host-ikev1/test.conf | 4 + testing/tests/ipv6/host2host-ikev2/description.txt | 11 +- testing/tests/ipv6/host2host-ikev2/evaltest.dat | 8 +- .../ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf | 31 - .../host2host-ikev2/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 33 ++ .../ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf | 30 - .../host2host-ikev2/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 33 ++ testing/tests/ipv6/host2host-ikev2/posttest.dat | 4 +- testing/tests/ipv6/host2host-ikev2/pretest.dat | 6 +- testing/tests/ipv6/host2host-ikev2/test.conf | 6 +- testing/tests/ipv6/net2net-ikev1/description.txt | 13 +- testing/tests/ipv6/net2net-ikev1/evaltest.dat | 6 +- .../ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf | 31 - .../net2net-ikev1/hosts/moon/etc/strongswan.conf | 7 +- .../hosts/moon/etc/swanctl/swanctl.conf | 35 ++ .../ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf | 31 - .../net2net-ikev1/hosts/sun/etc/strongswan.conf | 7 +- .../hosts/sun/etc/swanctl/swanctl.conf | 35 ++ testing/tests/ipv6/net2net-ikev1/posttest.dat | 4 +- testing/tests/ipv6/net2net-ikev1/pretest.dat | 7 +- testing/tests/ipv6/net2net-ikev1/test.conf | 6 +- testing/tests/ipv6/net2net-ikev2/description.txt | 13 +- testing/tests/ipv6/net2net-ikev2/evaltest.dat | 6 +- .../ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf | 32 -- .../net2net-ikev2/hosts/moon/etc/strongswan.conf | 7 +- .../hosts/moon/etc/swanctl/swanctl.conf | 36 ++ .../ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf | 32 -- .../net2net-ikev2/hosts/sun/etc/strongswan.conf | 7 +- .../hosts/sun/etc/swanctl/swanctl.conf | 36 ++ testing/tests/ipv6/net2net-ikev2/posttest.dat | 4 +- testing/tests/ipv6/net2net-ikev2/pretest.dat | 6 +- testing/tests/ipv6/net2net-ikev2/test.conf | 6 +- .../ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat | 6 +- .../hosts/moon/etc/ipsec.conf | 31 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 35 ++ .../hosts/sun/etc/ipsec.conf | 31 - .../hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 35 ++ .../ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat | 4 +- .../ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat | 7 +- .../tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf | 6 +- .../ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat | 7 +- .../hosts/moon/etc/ipsec.conf | 31 - .../hosts/moon/etc/strongswan.conf | 10 +- .../hosts/moon/etc/swanctl/swanctl.conf | 36 ++ .../hosts/sun/etc/ipsec.conf | 31 - .../hosts/sun/etc/strongswan.conf | 10 +- .../hosts/sun/etc/swanctl/swanctl.conf | 36 ++ .../ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat | 4 +- .../ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat | 6 +- .../tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf | 6 +- .../ipv6/net2net-ip6-in-ip4-ikev1/description.txt | 14 +- .../ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat | 6 +- .../hosts/moon/etc/ipsec.conf | 21 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 28 + .../hosts/sun/etc/ipsec.conf | 21 - .../hosts/sun/etc/strongswan.conf | 11 +- .../hosts/sun/etc/swanctl/swanctl.conf | 28 + .../ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat | 4 +- .../ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat | 7 +- .../tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf | 6 +- .../ipv6/net2net-ip6-in-ip4-ikev2/description.txt | 14 +- .../ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat | 7 +- .../hosts/moon/etc/ipsec.conf | 22 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../hosts/sun/etc/ipsec.conf | 22 - .../hosts/sun/etc/strongswan.conf | 11 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + .../ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat | 4 +- .../ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat | 6 +- .../tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf | 6 +- .../ipv6/net2net-rfc3779-ikev2/description.txt | 23 +- .../tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat | 6 +- .../hosts/moon/etc/ipsec.conf | 31 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 28 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 27 + .../hosts/moon/etc/swanctl/swanctl.conf | 36 ++ .../hosts/moon/etc/swanctl/x509/moonCert.pem | 28 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf | 31 - .../sun/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/sun/etc/ipsec.d/certs/sunCert.pem | 28 - .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 27 - .../hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/rsa/sunKey.pem | 27 + .../hosts/sun/etc/swanctl/swanctl.conf | 36 ++ .../hosts/sun/etc/swanctl/x509/sunCert.pem | 28 + .../sun/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../tests/ipv6/net2net-rfc3779-ikev2/posttest.dat | 4 +- .../tests/ipv6/net2net-rfc3779-ikev2/pretest.dat | 6 +- testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf | 6 +- testing/tests/ipv6/rw-compress-ikev2/evaltest.dat | 8 +- .../rw-compress-ikev2/hosts/carol/etc/ipsec.conf | 25 - .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../rw-compress-ikev2/hosts/moon/etc/ipsec.conf | 24 - .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 33 ++ testing/tests/ipv6/rw-compress-ikev2/posttest.dat | 4 +- testing/tests/ipv6/rw-compress-ikev2/pretest.dat | 6 +- testing/tests/ipv6/rw-compress-ikev2/test.conf | 4 + testing/tests/ipv6/rw-ikev1/description.txt | 4 +- testing/tests/ipv6/rw-ikev1/evaltest.dat | 12 +- .../tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf | 27 - .../ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf | 8 +- .../rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf | 34 ++ .../tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf | 27 - .../ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf | 8 +- .../rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf | 34 ++ .../tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf | 26 - .../ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf | 8 +- .../rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf | 32 ++ testing/tests/ipv6/rw-ikev1/posttest.dat | 6 +- testing/tests/ipv6/rw-ikev1/pretest.dat | 10 +- testing/tests/ipv6/rw-ikev1/test.conf | 4 + testing/tests/ipv6/rw-ikev2/description.txt | 4 +- testing/tests/ipv6/rw-ikev2/evaltest.dat | 12 +- .../tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf | 26 - .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf | 9 +- .../rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf | 34 ++ .../tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf | 26 - .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf | 9 +- .../rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf | 34 ++ .../tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf | 25 - .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf | 9 +- .../rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf | 32 ++ testing/tests/ipv6/rw-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-ikev2/pretest.dat | 10 +- testing/tests/ipv6/rw-ikev2/test.conf | 4 + .../tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt | 18 +- .../tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat | 12 +- .../rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/carol/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 32 ++ .../tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat | 6 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat | 10 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf | 4 + .../tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt | 18 +- .../tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat | 12 +- .../rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/carol/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 28 + .../rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 32 ++ .../tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat | 10 +- testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf | 4 + testing/tests/ipv6/rw-psk-ikev1/description.txt | 10 +- testing/tests/ipv6/rw-psk-ikev1/evaltest.dat | 13 +- .../ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf | 18 - .../rw-psk-ikev1/hosts/carol/etc/ipsec.secrets | 3 - .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 34 ++ .../ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf | 19 - .../ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets | 3 - .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 8 +- .../hosts/dave/etc/swanctl/swanctl.conf | 34 ++ .../ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf | 18 - .../ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets | 5 - .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 37 ++ testing/tests/ipv6/rw-psk-ikev1/posttest.dat | 6 +- testing/tests/ipv6/rw-psk-ikev1/pretest.dat | 16 +- testing/tests/ipv6/rw-psk-ikev1/test.conf | 4 + testing/tests/ipv6/rw-psk-ikev2/description.txt | 10 +- testing/tests/ipv6/rw-psk-ikev2/evaltest.dat | 12 +- .../ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf | 18 - .../rw-psk-ikev2/hosts/carol/etc/ipsec.secrets | 3 - .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 34 ++ .../ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf | 19 - .../ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets | 3 - .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf | 8 +- .../hosts/dave/etc/swanctl/swanctl.conf | 34 ++ .../ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf | 18 - .../ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets | 5 - .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 37 ++ testing/tests/ipv6/rw-psk-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-psk-ikev2/pretest.dat | 16 +- testing/tests/ipv6/rw-psk-ikev2/test.conf | 4 + testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat | 13 +- .../rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf | 26 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 27 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 - .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/carol/etc/swanctl/rsa/carolKey.pem | 27 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 ++ .../hosts/carol/etc/swanctl/x509/carolCert.pem | 27 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf | 26 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 27 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 27 - .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/dave/etc/swanctl/rsa/daveKey.pem | 27 + .../hosts/dave/etc/swanctl/swanctl.conf | 34 ++ .../hosts/dave/etc/swanctl/x509/daveCert.pem | 27 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf | 25 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 26 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 28 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 - .../hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 27 + .../hosts/moon/etc/swanctl/swanctl.conf | 32 ++ .../hosts/moon/etc/swanctl/x509/moonCert.pem | 28 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 26 + testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat | 6 +- testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat | 10 +- testing/tests/ipv6/rw-rfc3779-ikev2/test.conf | 4 + testing/tests/ipv6/transport-ikev1/description.txt | 11 +- testing/tests/ipv6/transport-ikev1/evaltest.dat | 6 +- .../ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf | 27 - .../transport-ikev1/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 33 ++ .../ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf | 27 - .../transport-ikev1/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 33 ++ testing/tests/ipv6/transport-ikev1/posttest.dat | 4 +- testing/tests/ipv6/transport-ikev1/pretest.dat | 6 +- testing/tests/ipv6/transport-ikev1/test.conf | 6 +- testing/tests/ipv6/transport-ikev2/description.txt | 11 +- testing/tests/ipv6/transport-ikev2/evaltest.dat | 7 +- .../ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf | 27 - .../transport-ikev2/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 34 ++ .../ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf | 27 - .../transport-ikev2/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 34 ++ testing/tests/ipv6/transport-ikev2/posttest.dat | 4 +- testing/tests/ipv6/transport-ikev2/pretest.dat | 6 +- testing/tests/ipv6/transport-ikev2/test.conf | 6 +- testing/tests/libipsec/host2host-cert/evaltest.dat | 6 +- .../host2host-cert/hosts/moon/etc/ipsec.conf | 19 - .../host2host-cert/hosts/moon/etc/strongswan.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../host2host-cert/hosts/sun/etc/ipsec.conf | 19 - .../host2host-cert/hosts/sun/etc/strongswan.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 26 + testing/tests/libipsec/host2host-cert/posttest.dat | 5 +- testing/tests/libipsec/host2host-cert/pretest.dat | 6 +- testing/tests/libipsec/host2host-cert/test.conf | 4 + testing/tests/libipsec/net2net-3des/evaltest.dat | 10 +- .../net2net-3des/hosts/moon/etc/ipsec.conf | 24 - .../net2net-3des/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../libipsec/net2net-3des/hosts/sun/etc/ipsec.conf | 24 - .../net2net-3des/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + testing/tests/libipsec/net2net-3des/posttest.dat | 5 +- testing/tests/libipsec/net2net-3des/pretest.dat | 10 +- testing/tests/libipsec/net2net-3des/test.conf | 4 + .../libipsec/net2net-cert-ipv6/description.txt | 14 + .../tests/libipsec/net2net-cert-ipv6/evaltest.dat | 5 + .../hosts/moon/etc/strongswan.conf | 10 + .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../net2net-cert-ipv6/hosts/moon/etc/updown | 597 +++++++++++++++++++ .../hosts/sun/etc/strongswan.conf | 10 + .../hosts/sun/etc/swanctl/swanctl.conf | 29 + .../net2net-cert-ipv6/hosts/sun/etc/updown | 597 +++++++++++++++++++ .../tests/libipsec/net2net-cert-ipv6/posttest.dat | 9 + .../tests/libipsec/net2net-cert-ipv6/pretest.dat | 11 + testing/tests/libipsec/net2net-cert-ipv6/test.conf | 25 + testing/tests/libipsec/net2net-cert/evaltest.dat | 6 +- .../net2net-cert/hosts/moon/etc/ipsec.conf | 22 - .../net2net-cert/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../libipsec/net2net-cert/hosts/sun/etc/ipsec.conf | 22 - .../net2net-cert/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + testing/tests/libipsec/net2net-cert/posttest.dat | 5 +- testing/tests/libipsec/net2net-cert/pretest.dat | 10 +- testing/tests/libipsec/net2net-cert/test.conf | 4 + testing/tests/libipsec/net2net-null/evaltest.dat | 10 +- .../net2net-null/hosts/moon/etc/ipsec.conf | 24 - .../net2net-null/hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 29 + .../libipsec/net2net-null/hosts/sun/etc/ipsec.conf | 24 - .../net2net-null/hosts/sun/etc/strongswan.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 29 + testing/tests/libipsec/net2net-null/posttest.dat | 5 +- testing/tests/libipsec/net2net-null/pretest.dat | 10 +- testing/tests/libipsec/net2net-null/test.conf | 4 + testing/tests/libipsec/rw-suite-b/description.txt | 10 - testing/tests/libipsec/rw-suite-b/evaltest.dat | 19 - .../libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf | 23 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 17 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 15 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 5 - .../rw-suite-b/hosts/carol/etc/ipsec.secrets | 3 - .../rw-suite-b/hosts/carol/etc/strongswan.conf | 13 - .../libipsec/rw-suite-b/hosts/carol/etc/updown | 638 --------------------- .../libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf | 23 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 17 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 15 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 5 - .../rw-suite-b/hosts/dave/etc/ipsec.secrets | 3 - .../rw-suite-b/hosts/dave/etc/iptables.flush | 21 - .../rw-suite-b/hosts/dave/etc/iptables.rules | 32 -- .../rw-suite-b/hosts/dave/etc/strongswan.conf | 13 - .../libipsec/rw-suite-b/hosts/dave/etc/updown | 638 --------------------- .../libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf | 23 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 17 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 15 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 5 - .../rw-suite-b/hosts/moon/etc/ipsec.secrets | 3 - .../rw-suite-b/hosts/moon/etc/strongswan.conf | 11 - .../libipsec/rw-suite-b/hosts/moon/etc/updown | 638 --------------------- testing/tests/libipsec/rw-suite-b/posttest.dat | 6 - testing/tests/libipsec/rw-suite-b/pretest.dat | 11 - testing/tests/libipsec/rw-suite-b/test.conf | 21 - .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/strongswan.conf | 5 + .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 3 - .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 5 + .../pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf | 3 - .../net2net-rekey/hosts/moon/etc/strongswan.conf | 5 + testing/tests/sql/ip-pool-db-expired/evaltest.dat | 4 +- testing/tests/sql/ip-pool-db-expired/posttest.dat | 6 +- testing/tests/sql/ip-pool-db-expired/pretest.dat | 9 +- testing/tests/sql/ip-pool-db-restart/posttest.dat | 6 +- testing/tests/sql/ip-pool-db-restart/pretest.dat | 9 +- testing/tests/sql/ip-pool-db/posttest.dat | 6 +- testing/tests/sql/ip-pool-db/pretest.dat | 9 +- .../sql/ip-split-pools-db-restart/posttest.dat | 6 +- .../sql/ip-split-pools-db-restart/pretest.dat | 9 +- testing/tests/sql/ip-split-pools-db/posttest.dat | 6 +- testing/tests/sql/ip-split-pools-db/pretest.dat | 9 +- testing/tests/sql/multi-level-ca/posttest.dat | 6 +- testing/tests/sql/multi-level-ca/pretest.dat | 9 +- testing/tests/sql/net2net-cert/posttest.dat | 4 +- testing/tests/sql/net2net-cert/pretest.dat | 8 +- testing/tests/sql/net2net-psk/posttest.dat | 4 +- testing/tests/sql/net2net-psk/pretest.dat | 8 +- testing/tests/sql/net2net-route-pem/posttest.dat | 4 +- testing/tests/sql/net2net-route-pem/pretest.dat | 6 +- testing/tests/sql/net2net-start-pem/posttest.dat | 4 +- testing/tests/sql/net2net-start-pem/pretest.dat | 8 +- testing/tests/sql/rw-cert/posttest.dat | 6 +- testing/tests/sql/rw-cert/pretest.dat | 9 +- testing/tests/sql/rw-eap-aka-rsa/posttest.dat | 4 +- testing/tests/sql/rw-eap-aka-rsa/pretest.dat | 6 +- testing/tests/sql/rw-psk-ipv4/posttest.dat | 6 +- testing/tests/sql/rw-psk-ipv4/pretest.dat | 9 +- testing/tests/sql/rw-psk-ipv6/posttest.dat | 6 +- testing/tests/sql/rw-psk-ipv6/pretest.dat | 9 +- testing/tests/sql/rw-psk-rsa-split/posttest.dat | 6 +- testing/tests/sql/rw-psk-rsa-split/pretest.dat | 9 +- testing/tests/sql/rw-rsa-keyid/posttest.dat | 6 +- testing/tests/sql/rw-rsa-keyid/pretest.dat | 9 +- testing/tests/sql/rw-rsa/posttest.dat | 6 +- testing/tests/sql/rw-rsa/pretest.dat | 9 +- .../tests/sql/shunt-policies-nat-rw/posttest.dat | 6 +- .../tests/sql/shunt-policies-nat-rw/pretest.dat | 9 +- .../config-payload/hosts/carol/etc/strongswan.conf | 9 +- .../config-payload/hosts/dave/etc/strongswan.conf | 9 +- .../config-payload/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/config-payload/posttest.dat | 6 +- testing/tests/swanctl/config-payload/pretest.dat | 6 +- .../crl-to-cache/hosts/carol/etc/strongswan.conf | 9 +- .../crl-to-cache/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/swanctl/crl-to-cache/posttest.dat | 4 +- testing/tests/swanctl/crl-to-cache/pretest.dat | 4 +- .../dhcp-dynamic/hosts/carol/etc/strongswan.conf | 9 +- .../dhcp-dynamic/hosts/dave/etc/strongswan.conf | 9 +- .../dhcp-dynamic/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/dhcp-dynamic/posttest.dat | 6 +- testing/tests/swanctl/dhcp-dynamic/pretest.dat | 6 +- .../frags-ipv4/hosts/carol/etc/strongswan.conf | 9 +- .../frags-ipv4/hosts/dave/etc/strongswan.conf | 9 +- .../frags-ipv4/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/swanctl/frags-ipv4/posttest.dat | 6 +- testing/tests/swanctl/frags-ipv4/pretest.dat | 6 +- .../frags-ipv6/hosts/carol/etc/strongswan.conf | 10 +- .../frags-ipv6/hosts/dave/etc/strongswan.conf | 10 +- .../frags-ipv6/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/frags-ipv6/posttest.dat | 6 +- testing/tests/swanctl/frags-ipv6/pretest.dat | 6 +- .../ip-pool-db/hosts/carol/etc/strongswan.conf | 11 +- .../ip-pool-db/hosts/dave/etc/strongswan.conf | 9 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 12 +- testing/tests/swanctl/ip-pool-db/posttest.dat | 6 +- testing/tests/swanctl/ip-pool-db/pretest.dat | 6 +- .../ip-pool/hosts/carol/etc/strongswan.conf | 11 +- .../swanctl/ip-pool/hosts/dave/etc/strongswan.conf | 11 +- .../swanctl/ip-pool/hosts/moon/etc/strongswan.conf | 12 +- testing/tests/swanctl/ip-pool/posttest.dat | 6 +- testing/tests/swanctl/ip-pool/pretest.dat | 6 +- .../manual-prio/hosts/carol/etc/strongswan.conf | 11 +- .../manual-prio/hosts/dave/etc/strongswan.conf | 11 +- .../manual-prio/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/swanctl/manual-prio/posttest.dat | 6 +- testing/tests/swanctl/manual-prio/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 7 +- .../hosts/dave/etc/strongswan.conf | 7 +- .../hosts/moon/etc/strongswan.conf | 7 +- .../swanctl/mult-auth-rsa-eap-sim-id/posttest.dat | 6 +- .../swanctl/mult-auth-rsa-eap-sim-id/pretest.dat | 6 +- .../multi-level-ca/hosts/carol/etc/strongswan.conf | 9 +- .../multi-level-ca/hosts/dave/etc/strongswan.conf | 9 +- .../multi-level-ca/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/multi-level-ca/posttest.dat | 12 +- testing/tests/swanctl/multi-level-ca/pretest.dat | 6 +- .../net2net-cert/hosts/moon/etc/strongswan.conf | 11 +- .../net2net-cert/hosts/sun/etc/strongswan.conf | 11 +- testing/tests/swanctl/net2net-cert/posttest.dat | 4 +- testing/tests/swanctl/net2net-cert/pretest.dat | 4 +- .../net2net-ed25519/hosts/moon/etc/strongswan.conf | 19 +- .../net2net-ed25519/hosts/sun/etc/strongswan.conf | 19 +- testing/tests/swanctl/net2net-ed25519/posttest.dat | 4 +- testing/tests/swanctl/net2net-ed25519/pretest.dat | 4 +- .../net2net-gw/hosts/carol/etc/strongswan.conf | 7 +- .../net2net-gw/hosts/moon/etc/strongswan.conf | 7 +- .../net2net-gw/hosts/sun/etc/strongswan.conf | 7 +- testing/tests/swanctl/net2net-gw/posttest.dat | 6 +- testing/tests/swanctl/net2net-gw/pretest.dat | 6 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/sun/etc/strongswan.conf | 8 +- .../tests/swanctl/net2net-multicast/posttest.dat | 4 +- .../tests/swanctl/net2net-multicast/pretest.dat | 4 +- .../net2net-pubkey/hosts/moon/etc/strongswan.conf | 7 +- .../net2net-pubkey/hosts/sun/etc/strongswan.conf | 7 +- testing/tests/swanctl/net2net-pubkey/posttest.dat | 4 +- testing/tests/swanctl/net2net-pubkey/pretest.dat | 4 +- .../net2net-route/hosts/moon/etc/strongswan.conf | 11 +- .../net2net-route/hosts/sun/etc/strongswan.conf | 11 +- testing/tests/swanctl/net2net-route/posttest.dat | 4 +- testing/tests/swanctl/net2net-route/pretest.dat | 4 +- .../hosts/moon/etc/strongswan.conf | 11 +- .../hosts/sun/etc/strongswan.conf | 11 +- .../swanctl/net2net-sha3-rsa-cert/posttest.dat | 4 +- .../swanctl/net2net-sha3-rsa-cert/pretest.dat | 4 +- .../net2net-start/hosts/moon/etc/strongswan.conf | 9 +- .../net2net-start/hosts/sun/etc/strongswan.conf | 9 +- testing/tests/swanctl/net2net-start/posttest.dat | 4 +- testing/tests/swanctl/net2net-start/pretest.dat | 4 +- .../ocsp-disabled/hosts/carol/etc/strongswan.conf | 9 +- .../ocsp-disabled/hosts/moon/etc/strongswan.conf | 6 +- testing/tests/swanctl/ocsp-disabled/posttest.dat | 4 +- testing/tests/swanctl/ocsp-disabled/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 10 +- .../hosts/dave/etc/strongswan.conf | 10 +- .../hosts/moon/etc/strongswan.conf | 10 +- .../tests/swanctl/ocsp-multi-level/posttest.dat | 12 +- testing/tests/swanctl/ocsp-multi-level/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/moon/etc/strongswan.conf | 7 +- .../tests/swanctl/ocsp-signer-cert/posttest.dat | 4 +- testing/tests/swanctl/ocsp-signer-cert/pretest.dat | 4 +- .../protoport-dual/hosts/carol/etc/strongswan.conf | 7 +- .../protoport-dual/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/protoport-dual/posttest.dat | 4 +- testing/tests/swanctl/protoport-dual/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 7 +- .../protoport-range/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/protoport-range/posttest.dat | 4 +- testing/tests/swanctl/protoport-range/pretest.dat | 4 +- testing/tests/swanctl/rw-cert-pss/description.txt | 8 + testing/tests/swanctl/rw-cert-pss/evaltest.dat | 14 + .../rw-cert-pss/hosts/carol/etc/strongswan.conf | 18 + .../hosts/carol/etc/swanctl/rsa/carolKey.pem | 30 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 ++ .../rw-cert-pss/hosts/dave/etc/strongswan.conf | 18 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../rw-cert-pss/hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/swanctl/rw-cert-pss/posttest.dat | 8 + testing/tests/swanctl/rw-cert-pss/pretest.dat | 11 + testing/tests/swanctl/rw-cert-pss/test.conf | 25 + .../rw-cert/hosts/carol/etc/strongswan.conf | 9 +- .../swanctl/rw-cert/hosts/dave/etc/strongswan.conf | 9 +- .../swanctl/rw-cert/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/swanctl/rw-cert/posttest.dat | 6 +- testing/tests/swanctl/rw-cert/pretest.dat | 6 +- .../rw-dnssec/hosts/carol/etc/strongswan.conf | 7 +- .../rw-dnssec/hosts/dave/etc/strongswan.conf | 7 +- .../rw-dnssec/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/rw-dnssec/posttest.dat | 6 +- testing/tests/swanctl/rw-dnssec/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat | 4 +- .../tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 9 +- .../tests/swanctl/rw-eap-md5-id-rsa/posttest.dat | 4 +- .../tests/swanctl/rw-eap-md5-id-rsa/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 11 +- .../tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat | 6 +- .../tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 10 +- .../rw-hash-and-url/hosts/dave/etc/strongswan.conf | 10 +- .../rw-hash-and-url/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/swanctl/rw-hash-and-url/posttest.dat | 6 +- testing/tests/swanctl/rw-hash-and-url/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 18 +- .../hosts/dave/etc/strongswan.conf | 18 +- .../hosts/moon/etc/strongswan.conf | 18 +- .../swanctl/rw-multi-ciphers-ikev1/posttest.dat | 6 +- .../swanctl/rw-multi-ciphers-ikev1/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 10 +- .../tests/swanctl/rw-newhope-bliss/posttest.dat | 6 +- testing/tests/swanctl/rw-newhope-bliss/pretest.dat | 6 +- .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf | 7 +- .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf | 7 +- .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf | 8 +- testing/tests/swanctl/rw-ntru-bliss/posttest.dat | 6 +- testing/tests/swanctl/rw-ntru-bliss/pretest.dat | 6 +- .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf | 7 +- .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf | 7 +- .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/rw-psk-fqdn/posttest.dat | 6 +- testing/tests/swanctl/rw-psk-fqdn/pretest.dat | 6 +- .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 16 +- .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 16 +- .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 16 +- testing/tests/swanctl/rw-psk-ikev1/posttest.dat | 6 +- testing/tests/swanctl/rw-psk-ikev1/pretest.dat | 6 +- .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 7 +- .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 7 +- .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/rw-psk-ipv4/posttest.dat | 6 +- testing/tests/swanctl/rw-psk-ipv4/pretest.dat | 6 +- .../rw-pubkey-anon/hosts/carol/etc/strongswan.conf | 11 +- .../rw-pubkey-anon/hosts/dave/etc/strongswan.conf | 11 +- .../rw-pubkey-anon/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/swanctl/rw-pubkey-anon/posttest.dat | 6 +- testing/tests/swanctl/rw-pubkey-anon/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../rw-pubkey-keyid/hosts/dave/etc/strongswan.conf | 11 +- .../rw-pubkey-keyid/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/swanctl/rw-pubkey-keyid/posttest.dat | 6 +- testing/tests/swanctl/rw-pubkey-keyid/pretest.dat | 6 +- .../hosts/alice/etc/strongswan.conf | 6 +- .../hosts/sun/etc/strongswan.conf | 8 +- .../hosts/venus/etc/strongswan.conf | 6 +- .../swanctl/shunt-policies-nat-rw/posttest.dat | 6 +- .../swanctl/shunt-policies-nat-rw/pretest.dat | 6 +- .../xauth-rsa/hosts/carol/etc/strongswan.conf | 7 +- .../xauth-rsa/hosts/dave/etc/strongswan.conf | 7 +- .../xauth-rsa/hosts/moon/etc/strongswan.conf | 7 +- testing/tests/swanctl/xauth-rsa/posttest.dat | 6 +- testing/tests/swanctl/xauth-rsa/pretest.dat | 6 +- .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-11-fhh/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-fhh/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 10 +- .../tests/tnc/tnccs-11-radius-block/posttest.dat | 6 +- .../tests/tnc/tnccs-11-radius-block/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 10 +- testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-11-radius/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-11-radius/hosts/moon/etc/strongswan.conf | 10 +- testing/tests/tnc/tnccs-11-radius/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-radius/pretest.dat | 6 +- .../tnc/tnccs-11/hosts/carol/etc/strongswan.conf | 9 +- .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf | 9 +- .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-11/posttest.dat | 6 +- testing/tests/tnc/tnccs-11/pretest.dat | 6 +- .../tnccs-20-block/hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-20-block/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-20-block/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-block/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-block/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 13 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 11 +- .../tests/tnc/tnccs-20-client-retry/posttest.dat | 6 +- .../tests/tnc/tnccs-20-client-retry/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 13 +- testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-fail-init/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-fail-init/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-fail-resp/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-fail-resp/pretest.dat | 4 +- .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf | 11 +- .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-fhh/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-fhh/pretest.dat | 6 +- .../hosts/alice/etc/strongswan.conf | 12 +- .../hosts/carol/etc/strongswan.conf | 21 +- .../hosts/dave/etc/strongswan.conf | 25 +- .../hosts/moon/etc/strongswan.conf | 8 +- testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat | 8 +- testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat | 8 +- .../hosts/moon/etc/strongswan.conf | 15 +- .../hosts/sun/etc/strongswan.conf | 20 +- .../tnc/tnccs-20-mutual-eap-fail/posttest.dat | 4 +- .../tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat | 4 +- .../hosts/moon/etc/strongswan.conf | 13 +- .../hosts/sun/etc/strongswan.conf | 20 +- testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat | 4 +- .../hosts/sun/etc/strongswan.conf | 18 +- .../tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat | 2 +- .../tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 13 +- testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 12 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 15 +- testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 10 +- .../tnccs-20-os/hosts/carol/etc/strongswan.conf | 11 +- .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf | 11 +- .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-os/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-os/pretest.dat | 6 +- .../hosts/alice/etc/strongswan.conf | 12 +- .../hosts/carol/etc/strongswan.conf | 11 +- .../hosts/dave/etc/strongswan.conf | 11 +- .../hosts/moon/etc/strongswan.conf | 8 +- testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 10 +- testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 10 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 13 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 9 +- .../hosts/dave/etc/strongswan.conf | 9 +- .../hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 6 +- .../tnccs-20-pts/hosts/carol/etc/strongswan.conf | 13 +- .../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-pts/pretest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 13 +- .../hosts/dave/etc/strongswan.conf | 13 +- .../hosts/moon/etc/strongswan.conf | 13 +- .../tests/tnc/tnccs-20-server-retry/posttest.dat | 6 +- .../tests/tnc/tnccs-20-server-retry/pretest.dat | 6 +- .../tnccs-20-tls/hosts/carol/etc/strongswan.conf | 11 +- .../tnccs-20-tls/hosts/dave/etc/strongswan.conf | 11 +- .../tnccs-20-tls/hosts/moon/etc/strongswan.conf | 11 +- testing/tests/tnc/tnccs-20-tls/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-tls/pretest.dat | 6 +- .../tnc/tnccs-20/hosts/carol/etc/strongswan.conf | 9 +- .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf | 9 +- .../tnc/tnccs-20/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20/posttest.dat | 6 +- testing/tests/tnc/tnccs-20/pretest.dat | 6 +- .../tnccs-dynamic/hosts/carol/etc/strongswan.conf | 9 +- .../tnccs-dynamic/hosts/dave/etc/strongswan.conf | 9 +- .../tnccs-dynamic/hosts/moon/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-dynamic/posttest.dat | 6 +- testing/tests/tnc/tnccs-dynamic/pretest.dat | 6 +- 1005 files changed, 8267 insertions(+), 6811 deletions(-) delete mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/host2host-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/description.txt create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/posttest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/pretest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev1/test.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/description.txt create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/posttest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/pretest.dat create mode 100644 testing/tests/ipv6-stroke/transport-ikev2/test.conf delete mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem delete mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem create mode 100644 testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets create mode 100755 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100755 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/description.txt create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/posttest.dat create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/pretest.dat create mode 100644 testing/tests/libipsec/net2net-cert-ipv6/test.conf delete mode 100644 testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/description.txt delete mode 100644 testing/tests/libipsec/rw-suite-b/evaltest.dat delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf delete mode 100755 testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf delete mode 100755 testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf delete mode 100755 testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown delete mode 100644 testing/tests/libipsec/rw-suite-b/posttest.dat delete mode 100644 testing/tests/libipsec/rw-suite-b/pretest.dat delete mode 100644 testing/tests/libipsec/rw-suite-b/test.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/description.txt create mode 100755 testing/tests/swanctl/rw-cert-pss/evaltest.dat create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-cert-pss/posttest.dat create mode 100755 testing/tests/swanctl/rw-cert-pss/pretest.dat create mode 100755 testing/tests/swanctl/rw-cert-pss/test.conf (limited to 'testing/tests') diff --git a/testing/tests/af-alg/alg-camellia/description.txt b/testing/tests/af-alg/alg-camellia/description.txt index 87679788f..995ab4c65 100644 --- a/testing/tests/af-alg/alg-camellia/description.txt +++ b/testing/tests/af-alg/alg-camellia/description.txt @@ -1,3 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / PRF_HMAC_SHA2_512 / MODP_3072 well as the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA384_192. -A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite camellia256-sha512-modp3072 +well as the ESP cipher suite camellia192-sha384. A ping from carol to alice successfully +checks the established tunnel. diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf index 81a85aa06..e475be3ca 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf index 81a85aa06..e475be3ca 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,10 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/af-alg/alg-camellia/posttest.dat +++ b/testing/tests/af-alg/alg-camellia/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat index 41255bccb..dbd1738ae 100644 --- a/testing/tests/af-alg/alg-camellia/pretest.dat +++ b/testing/tests/af-alg/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection net carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf index 3610ac699..456c70df2 100644 --- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf index afa7afe83..b6be829f4 100644 --- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf index 3610ac699..456c70df2 100644 --- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/af-alg/rw-cert/posttest.dat +++ b/testing/tests/af-alg/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat index 7652f460e..664cc9447 100644 --- a/testing/tests/af-alg/rw-cert/pretest.dat +++ b/testing/tests/af-alg/rw-cert/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt index 982efa5ea..28c6adb4b 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt +++ b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt @@ -1,4 +1,4 @@ Roadwarrior carol proposes to gateway moon the strong cipher suite -SERPENT_CBC_256 / HMAC_SHA2_512 / MODP_4096 for the IKE protocol and -SERPENT_CBC_256 / HMAC_SHA2_512_256 for ESP packets. A ping from carol to -alice successfully checks the established tunnel. +serpent256-sha512-modp4096 for the IKE protocol and serpent256-sha512 +for ESP packets. A ping from carol to alice successfully checks the +established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf index 10c0ac6fb..b57ffec12 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf index 6c49b5e9b..22371e465 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat index 6387dff4f..e9c83e483 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat @@ -1,2 +1,2 @@ -moon::service charon stop -carol::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat index 0f615f4ac..8c6a3ba30 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt index e1a7403e3..bfef69b5c 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt +++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt @@ -1,4 +1,4 @@ Roadwarrior carol proposes to gateway moon the strong cipher suite -TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096 for the IKE protocol and -TWOFISH_CBC_256 / HMAC_SHA2_512_256 for ESP packets. A ping from carol to -alice successfully checks the established tunnel. +twofish256-sha512-modp4096 for the IKE protocol and twofish256-sha512 +for ESP packets. A ping from carol to alice successfully checks the +established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf index 10c0ac6fb..b57ffec12 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf index 6c49b5e9b..22371e465 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf @@ -1,11 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default send_vendor_id = yes } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat index 6387dff4f..e9c83e483 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat @@ -1,2 +1,2 @@ -moon::service charon stop -carol::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat index 0f615f4ac..b9e2a8eee 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -moon::expect-connection rw -carol::expect-connection home +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt index b3515c333..4b8eeb87e 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt +++ b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt @@ -1,4 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as -the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 -in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite +camellia256-sha512-modp3072 as well as the ESP cipher suite camellia192-sha384. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat index 562336fd4..8a2e36baa 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat @@ -1,12 +1,6 @@ -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f0bbfc10f..000000000 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 3c094be34..e1d5a10dc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..acba9cecb --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8481f8974..000000000 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 3c094be34..e1d5a10dc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1c06bb2ce --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat index 046d4cfdc..2b00bea8e 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat index e34f70277..dbd1738ae 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/gcrypt-ikev2/rw-cert/description.txt b/testing/tests/gcrypt-ikev2/rw-cert/description.txt index f60f5b1ad..0502a6be2 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/description.txt +++ b/testing/tests/gcrypt-ikev2/rw-cert/description.txt @@ -5,8 +5,8 @@ plugins aes des sha1 sha2 md5 gmp.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave ping -the client alice behind the gateway moon. +Upon the successful establishment of the IPsec tunnels, the updown directive +in swanctl.conf automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test both tunnel and firewall, both carol and +dave ping the client alice behind the gateway moon. diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat index 849d59a4e..eccdcf0c1 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 214a8de28..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp1536! - esp=3des-sha1! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 2b4da7495..c637e97ec 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..22fe14f92 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-modp1536 + } + } + version = 2 + proposals = 3des-sha1-modp1536 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 603651a43..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp2048! - esp=aes256-sha512! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index f7b335e72..4f6bec1b4 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm vici stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { required = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b3622f50e --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ce4c0decb..000000000 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha512-modp2048,3des-sha1-modp1536! - esp=aes256-sha512,3des-sha1! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 2b4da7495..c637e97ec 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,8 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ccd247af0 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } + } + version = 2 + proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } +} diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat index 1865a1c60..b909ac76c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index 15c4ad7d1..664cc9447 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection net +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/test.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf index d6e251dba..0ddecec94 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 3" - conn %default keyexchange=ikev1 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf index 02ae5affa..7e78d0431 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 3 + } + } } diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf index 7c0490d59..40327a9ec 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 3" - conn %default keyexchange=ikev1 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf index 02ae5affa..7e78d0431 100644 --- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 3 + } + } } diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf index 4fcff4a89..6c4ad62fc 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf index 2e81bfd04..1bf040c21 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf index 218c9f155..a725ea7da 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 38df6a919..759b92285 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf index ce610b6a3..5cadaccc9 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev1 ike=aes256-sha512-ntru256! esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index 7a578d242..04da33fd6 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -5,4 +5,10 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf index 77ed2c0c9..afa1641c5 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="job 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf index af5fa19ef..cf4c1eba4 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + job = 2 + } + } } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf index 82a8f38c5..51a2e5758 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="job 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf index 93f434598..f09c27902 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + job = 2 + } + } } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf index 89674b2a1..7456a9d8a 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index d69a7b808..99d3c61d9 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf index 82804a0fe..3c0578d4b 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index a3c9999f7..99a0e8940 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf index aac963e91..eee4e6edc 100644 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -10,7 +7,7 @@ conn %default keyingtries=1 keyexchange=ikev2 -conn alice +conn alice rightid=alice@strongswan.org mark=10/0xffffffff also=sun diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf index 93f434598..9691dd22f 100644 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf index 7af65a55d..e8eaa4887 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default keyexchange=ikev2 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf index 82da6cb7a..95e90fd09 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default keyexchange=ikev2 ike=aes128-sha256-modp3072! diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf index 8cce0c957..71f5442c0 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes128-sha256-esn-noesn! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf index 1fd5ddb03..9e0df8111 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2, knl 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes128-sha256-modp3072! esp=aes128-sha256-esn! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf index 02ae5affa..ca7ff4f59 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf @@ -3,4 +3,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf index 01d114dd9..4251ecd68 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes128-sha256! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf index 49077484a..2dd0446ce 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf @@ -6,9 +6,15 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { - parameter_set = x9_98_bandwidth + parameter_set = x9_98_bandwidth } } } diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf index e57bec965..449ee7989 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes128-sha256-ntru128! esp=aes128-sha256! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf index 1dcbd6c27..2dd0446ce 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = x9_98_bandwidth diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf index 9da45bcba..f29a8b2a2 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m @@ -13,7 +10,7 @@ conn %default esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 38df6a919..759b92285 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -6,6 +6,12 @@ charon { multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf index 50be98057..76fbc8024 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/ipsec.conf @@ -1,19 +1,16 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="ike 4, lib 4" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 ike=aes256-sha512-ntru256! esp=aes256-sha512! mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index 0b31f738c..d461bda50 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -4,4 +4,10 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes + syslog { + daemon { + ike = 4 + lib = 4 + } + } } diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf index aeaebe1f4..8c7918b80 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -25,7 +22,7 @@ conn dscp-ef also=net-net auto=add -conn net-net +conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftfirewall=yes diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf index 3cf8c8807..a0be3ce18 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf index 8b54476fd..3c4d0a07f 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf @@ -1,13 +1,10 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 mobike=no @@ -25,7 +22,7 @@ conn dscp-ef also=net-net auto=add -conn net-net +conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftfirewall=yes diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf index 3cf8c8807..a0be3ce18 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf index dcd98b4de..ec3daa00a 100644 --- a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m lifetime=10s diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf index 3dcbf76ea..8d26c1381 100644 --- a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown # remove rekeyed inbound SA a bit quicker for the test scenario delete_rekeyed_delay = 2 + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf index 9ba918893..ec7d9a79a 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m @@ -11,7 +8,7 @@ conn %default keyexchange=ikev2 mobike=no -conn net-net +conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf index 18ed6a4c4..c9a56d748 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf index d41e43a5c..cc86ebc0a 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf @@ -1,17 +1,14 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="cfg 2" - conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 mobike=no -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf index 18ed6a4c4..c9a56d748 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + cfg = 2 + } + } } diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf index a5c2cc5fc..cdcf4e6f2 100644 --- a/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf @@ -1,7 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf index af5fa19ef..6bc136a9b 100644 --- a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf index b7b27b720..10d92873d 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf index 6b0ab0dcc..58a2f2243 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-tls { max_message_count = 40 diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf index ee4bfd27d..0ab0c4772 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf index 6b0ab0dcc..58a2f2243 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-tls { max_message_count = 40 diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index 5e06976d1..756e3835c 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index 2261fc3e1..74881b5cf 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 37fa2b435..4a645d741 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 8865bd52c..797d27cc2 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf index fc6f1e633..6aaeb160f 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf index 84d571482..ef5666914 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -3,6 +3,11 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf index 8ff3c2ab6..576d2cb99 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf index 367c0b527..ba52ec31e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf index cd93a48e7..738481257 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf index 242329b3b..02899fdb7 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf index 8ff3c2ab6..576d2cb99 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf index 367c0b527..ba52ec31e 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf index 951002690..fa1febe0f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf index cd93a48e7..738481257 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf index 20afebf81..0ff7725ca 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf @@ -4,6 +4,11 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf index 5b1ac90a3..c18df1c73 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf index 1d380c409..443332acc 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf index 8aa168745..2b58fbfca 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf index 1d380c409..443332acc 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf index 4b549cbd5..f0094e4d7 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m @@ -10,7 +7,7 @@ conn %default keyingtries=1 keyexchange=ikev2 -conn alice +conn alice rightid=alice@strongswan.org mark_in=10/0xffffffff mark_out=11/0xffffffff diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf index 93f434598..9691dd22f 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf @@ -2,4 +2,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf index a2d62296f..0e4eaa1ea 100644 --- a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf index dbcd7d844..709e0c5e4 100644 --- a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf index 3c7adfbf9..47792af99 100644 --- a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf index 409bee2cb..650ebddd9 100644 --- a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf index 71edc4c14..ef99cc768 100644 --- a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf index 8d89cd0bb..5e900fd1b 100644 --- a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/description.txt b/testing/tests/ipv6-stroke/host2host-ikev1/description.txt new file mode 100644 index 000000000..b52c4caf8 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat new file mode 100644 index 000000000..186ce4e06 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..9e68eb674 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add + diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c90a8e03 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..23bc5c627 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/test.conf b/testing/tests/ipv6-stroke/host2host-ikev1/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/description.txt b/testing/tests/ipv6-stroke/host2host-ikev2/description.txt new file mode 100644 index 000000000..b52c4caf8 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat new file mode 100644 index 000000000..186ce4e06 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..faee5c854 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add + diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..f4dc393ee --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/test.conf b/testing/tests/ipv6-stroke/host2host-ikev2/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/host2host-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ikev1/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat new file mode 100644 index 000000000..4cf23a31b --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4821989a9 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..23bc5c627 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat new file mode 100644 index 000000000..a14b3cf79 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ikev1/test.conf new file mode 100644 index 000000000..abade5bba --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ikev2/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat new file mode 100644 index 000000000..4cf23a31b --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..7292066a9 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + fragmentation=yes + mobike=no + +conn net-net + also=host-host + leftsubnet=fec1::0/16 + rightsubnet=fec2::0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..2141c15c5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + fragmentation=yes + mobike=no + +conn net-net + also=host-host + leftsubnet=fec2::0/16 + rightsubnet=fec1::0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat new file mode 100644 index 000000000..a14b3cf79 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ikev2/test.conf new file mode 100644 index 000000000..abade5bba --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client alice behind moon +sends an IPv4 ICMP request to client bob behind sun using the ping command. diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat new file mode 100644 index 000000000..ee9e22ed7 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..c43086f76 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=10.1.0.0/16 + rightsubnet=10.2.0.0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..f64bc2342 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + also=host-host + leftsubnet=10.2.0.0/16 + rightsubnet=10.1.0.0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat new file mode 100644 index 000000000..812ccd162 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf new file mode 100644 index 000000000..58ec28767 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client alice behind moon +sends an IPv4 ICMP request to client bob behind sun using the ping command. diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat new file mode 100644 index 000000000..ee9e22ed7 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..704737eaf --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.1.0.0/16 + rightsubnet=10.2.0.0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e739fc8ea --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.2.0.0/16 + rightsubnet=10.1.0.0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..00380ccb4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat new file mode 100644 index 000000000..812ccd162 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf new file mode 100644 index 000000000..58ec28767 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat new file mode 100644 index 000000000..803cf5ef5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..93660a2d8 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn net-net + left=PH_IP_MOON + leftsubnet=fec1::0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=fec2::0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..aeab0b9b5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes = no + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..30dadee78 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn net-net + left=PH_IP_SUN + leftsubnet=fec2::0/16 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=fec1::0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..429439ee4 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes=no + fragment_size = 1400 +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat new file mode 100644 index 000000000..58711bc06 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf new file mode 100644 index 000000000..345e2d808 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt new file mode 100644 index 000000000..5952ecc2d --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/description.txt @@ -0,0 +1,6 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon +sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat new file mode 100644 index 000000000..803cf5ef5 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f1cbd5576 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftsubnet=fec1::0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=fec2::0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0be55a717 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes = no +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..1f1fa6c51 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftsubnet=fec2::0/16 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=fec1::0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..812d52a95 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown + install_routes=no +} diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat new file mode 100644 index 000000000..078fca541 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +sun::ipsec stop +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat new file mode 100644 index 000000000..58711bc06 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +sun::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf new file mode 100644 index 000000000..345e2d808 --- /dev/null +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-ikev1/description.txt new file mode 100644 index 000000000..17461370e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 connection each +to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat new file mode 100644 index 000000000..0e125b70e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4bcfd19dd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn home + left=PH_IP6_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af5fa19ef --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..125303638 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn home + left=PH_IP6_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..880b1b2e7 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn rw + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat new file mode 100644 index 000000000..f60be3887 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-ikev2/description.txt new file mode 100644 index 000000000..17461370e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 connection each +to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat new file mode 100644 index 000000000..0e125b70e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..21166b2d0 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP6_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9c9714a33 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..9513be833 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP6_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4bed27ec5 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat new file mode 100644 index 000000000..f60be3887 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt new file mode 100644 index 000000000..f9412611b --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each +to gateway moon. The authentication is based on X.509 certificates. +Both carol and dave request a virtual IPv6 address from moon via +the IKEv1 mode config payload. +

+Upon the successful establishment of the ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat new file mode 100644 index 000000000..f6dc9aa3e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..8aba6f0b1 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0c5b0b5a4 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..d0ff82c2d --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..e77d7b608 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + rightsourceip=fec3::/120 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat new file mode 100644 index 000000000..ebe5e2a80 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec3:\:/16 via fec1:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat new file mode 100644 index 000000000..e73bde487 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec3:\:/16 via fec1:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt new file mode 100644 index 000000000..237e6fa52 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each +to gateway moon. The authentication is based on X.509 certificates. +Both carol and dave request a virtual IPv6 address from moon via +the IKEv2 configuration payload. +

+Upon the successful establishment of the ESP tunnels, leftfirewall=yes +automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to the client alice behind the gateway moon +using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat new file mode 100644 index 000000000..f6dc9aa3e --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..1ca1c6c26 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9c9714a33 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..bba2d96f7 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..5ea245568 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + rightsourceip=fec3::/120 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a52f0db6 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat new file mode 100644 index 000000000..ebe5e2a80 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec3:\:/16 via fec1:\:1" diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat new file mode 100644 index 000000000..e73bde487 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec3:\:/16 via fec1:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt b/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt new file mode 100644 index 000000000..66fc09053 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 tunnel connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts ip6tables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave send an IPv6 ICMP request to client alice +behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat new file mode 100644 index 000000000..16982a736 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..47080139f --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn home + left=PH_IP6_CAROL + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..2abcb4e0a --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..c59d32a14 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn home + left=PH_IP6_DAVE + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..2375cd559 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..7d32866b5 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn rw + left=PH_IP6_MOON + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..88c418353 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat new file mode 100644 index 000000000..93a96ec36 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/pretest.dat @@ -0,0 +1,20 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf b/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt b/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt new file mode 100644 index 000000000..66fc09053 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/description.txt @@ -0,0 +1,7 @@ +The roadwarriors carol and dave set up an IPv6 tunnel connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, +leftfirewall=yes automatically inserts ip6tables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +carol and dave send an IPv6 ICMP request to client alice +behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat new file mode 100644 index 000000000..16982a736 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..eed683f72 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=secret + +conn home + left=PH_IP6_CAROL + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..2abcb4e0a --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..3b45adb0d --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=secret + +conn home + left=PH_IP6_DAVE + leftfirewall=yes + right=PH_IP6_MOON + rightsubnet=fec1::/16 + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..2375cd559 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f6c4c6ab9 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=secret + +conn rw + left=PH_IP6_MOON + leftsubnet=fec1::/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..88c418353 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + +PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..955514391 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat new file mode 100644 index 000000000..4e59395e3 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +carol::ip6tables-restore < /etc/ip6tables.flush +dave::ip6tables-restore < /etc/ip6tables.flush +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat new file mode 100644 index 000000000..93a96ec36 --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/pretest.dat @@ -0,0 +1,20 @@ +moon::iptables-restore < /etc/iptables.drop +carol::iptables-restore < /etc/iptables.drop +dave::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf b/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf new file mode 100644 index 000000000..69b0757fd --- /dev/null +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/transport-ikev1/description.txt b/testing/tests/ipv6-stroke/transport-ikev1/description.txt new file mode 100644 index 000000000..2d54790aa --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the protected traffic. In order to test both the transport connection +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat new file mode 100644 index 000000000..5ae9d2c12 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ip xfrm state::mode transport::YES +sun:: ip xfrm state::mode transport::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f2938f307 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..9af8aa862 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat b/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat b/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/transport-ikev1/test.conf b/testing/tests/ipv6-stroke/transport-ikev1/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6-stroke/transport-ikev2/description.txt b/testing/tests/ipv6-stroke/transport-ikev2/description.txt new file mode 100644 index 000000000..2d54790aa --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/description.txt @@ -0,0 +1,5 @@ +An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. Upon the successful establishment of +the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall +rules that let pass the protected traffic. In order to test both the transport connection +and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat new file mode 100644 index 000000000..0dfba54ea --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES +moon::ip xfrm state::mode transport::YES +sun:: ip xfrm state::mode transport::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a48b6cbc6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + mobike=no + keyexchange=ikev2 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP6_SUN + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e80eb8101 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://ip6-winnetou.strongswan.org/certs/ + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + mobike=no + keyexchange=ikev2 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP6_MOON + rightid=@moon.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..93f434598 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat b/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat new file mode 100644 index 000000000..d3bebd0c6 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat b/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat new file mode 100644 index 000000000..46c015387 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection host-host +sun::expect-connection host-host +moon::ipsec up host-host diff --git a/testing/tests/ipv6-stroke/transport-ikev2/test.conf b/testing/tests/ipv6-stroke/transport-ikev2/test.conf new file mode 100644 index 000000000..e1d17aa16 --- /dev/null +++ b/testing/tests/ipv6-stroke/transport-ikev2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 diff --git a/testing/tests/ipv6/host2host-ikev1/description.txt b/testing/tests/ipv6/host2host-ikev1/description.txt index b52c4caf8..d9ef11539 100644 --- a/testing/tests/ipv6/host2host-ikev1/description.txt +++ b/testing/tests/ipv6/host2host-ikev1/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP connection between the hosts moon and sun is successfully +set up. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules that pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using +the ping6 command. diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat index 186ce4e06..ef6ec2b98 100644 --- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 9e68eb674..000000000 --- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add - diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf index 6cb3ee291..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1fa9a622c --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 23bc5c627..000000000 --- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf index 6cb3ee291..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf @@ -1,8 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..585e32489 --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/host2host-ikev1/posttest.dat +++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat index 46c015387..340344c95 100644 --- a/testing/tests/ipv6/host2host-ikev1/pretest.dat +++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat @@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection host-host +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection host-host -moon::ipsec up host-host +moon::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf index e1d17aa16..7bc3a6eee 100644 --- a/testing/tests/ipv6/host2host-ikev1/test.conf +++ b/testing/tests/ipv6/host2host-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/host2host-ikev2/description.txt b/testing/tests/ipv6/host2host-ikev2/description.txt index b52c4caf8..3714c800b 100644 --- a/testing/tests/ipv6/host2host-ikev2/description.txt +++ b/testing/tests/ipv6/host2host-ikev2/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec tunnel, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the tunneled traffic. In order to test both the host-to-host tunnel -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP connection between the hosts moon and sun is successfully +set up. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the host-to-host tunnel +and the firewall rules, moon sends an IPv6 ICMP request to sun using +the ping6 command. diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat index 186ce4e06..23add7ae5 100644 --- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES -sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES \ No newline at end of file diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index faee5c854..000000000 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add - diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..b422344f2 --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index f4dc393ee..000000000 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..376f8d8fa --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/host2host-ikev2/posttest.dat +++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat index 46c015387..0c558800c 100644 --- a/testing/tests/ipv6/host2host-ikev2/pretest.dat +++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null \ No newline at end of file diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/host2host-ikev2/test.conf +++ b/testing/tests/ipv6/host2host-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ikev1/description.txt b/testing/tests/ipv6/net2net-ikev1/description.txt index 5952ecc2d..9c574d22f 100644 --- a/testing/tests/ipv6/net2net-ikev1/description.txt +++ b/testing/tests/ipv6/net2net-ikev1/description.txt @@ -1,6 +1,7 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the net-to-net tunnel +and the firewall rules, client alice behind moon sends an IPv6 ICMP +request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat index 4cf23a31b..877459c88 100644 --- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 4821989a9..000000000 --- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e4ae7c91b --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 23bc5c627..000000000 --- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..df389144d --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ikev1/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ikev1/pretest.dat index a14b3cf79..60b2810cf 100644 --- a/testing/tests/ipv6/net2net-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ikev1/pretest.dat @@ -6,8 +6,9 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net 2> /dev/null +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ikev1/test.conf b/testing/tests/ipv6/net2net-ikev1/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ikev2/description.txt b/testing/tests/ipv6/net2net-ikev2/description.txt index 5952ecc2d..0fe026cc0 100644 --- a/testing/tests/ipv6/net2net-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-ikev2/description.txt @@ -1,6 +1,7 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun +is successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. In order to test both the net-to-net tunnel +and the firewall rules, client alice behind moon sends an IPv6 ICMP +request to client bob behind sun using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat index 4cf23a31b..a3e2bad94 100644 --- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 7292066a9..000000000 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - fragmentation=yes - mobike=no - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=fec2::0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1bf52633b --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 2141c15c5..000000000 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - fragmentation=yes - mobike=no - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=fec1::0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf index 00380ccb4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..73480f112 --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat index a14b3cf79..2db7a27c2 100644 --- a/testing/tests/ipv6/net2net-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ikev2/test.conf b/testing/tests/ipv6/net2net-ikev2/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat index ee9e22ed7..829c64764 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c43086f76..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=10.1.0.0/16 - rightsubnet=10.2.0.0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..7604b97d5 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index f64bc2342..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn net-net - also=host-host - leftsubnet=10.2.0.0/16 - rightsubnet=10.1.0.0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf index 7a39a8ae4..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size=1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..4a7f98856 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat index 812ccd162..9a9d27b29 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat @@ -2,8 +2,9 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf index 58ec28767..cc1bf500f 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat index ee9e22ed7..b898de258 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat @@ -1,7 +1,6 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES + diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 704737eaf..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=10.1.0.0/16 - rightsubnet=10.2.0.0/16 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..aea5c228c --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e739fc8ea..000000000 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=10.2.0.0/16 - rightsubnet=10.1.0.0/16 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..93dbda2d6 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1efe64d86 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat index 812ccd162..5a4e73383 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf index 58ec28767..cc1bf500f 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip4-in-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt index 5952ecc2d..26cb55e4d 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/description.txt @@ -1,6 +1,8 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client +alice behind moon sends an IPv6 ICMP request to client bob +behind sun using the ping6 command. diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat index 803cf5ef5..849da7c61 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] +sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16] sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 93660a2d8..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_MOON - leftsubnet=fec1::0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=fec2::0/16 - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf index 0be55a717..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e78611432 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + net-net { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 30dadee78..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_SUN - leftsubnet=fec2::0/16 - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=fec1::0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf index 812d52a95..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - install_routes=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 + install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..db19938ac --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + net-net { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat index 58711bc06..58be2992f 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat @@ -6,8 +6,9 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net +moon::sleep 1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf index 345e2d808..9f1c9a1f3 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt index 5952ecc2d..dee74097c 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/description.txt @@ -1,6 +1,8 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted ip6tables-based firewall +rules let pass the tunneled traffic. +In order to test both the net-to-net tunnel and the firewall rules, client +alice behind moon sends an IPv6 ICMP request to client bob +behind sun using the ping6 command. \ No newline at end of file diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat index 803cf5ef5..40ae8524a 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -1,7 +1,4 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] +sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f1cbd5576..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftsubnet=fec1::0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=fec2::0/16 - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 0be55a717..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..775c2feae --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + net-net { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 1f1fa6c51..000000000 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftsubnet=fec2::0/16 - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=fec1::0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf index 812d52a95..89e0dfced 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown - install_routes=no +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + fragment_size = 1400 + install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..ed7e9b477 --- /dev/null +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + net-net { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat index 58711bc06..e1d5265cc 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf index 345e2d808..9f1c9a1f3 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6-in-ip4.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt index ebcc00724..0c0525ce1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/description.txt @@ -1,11 +1,14 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates containing RFC 3779 IP address block constraints. -Both moon and sun set rightsubnet=::/0 thus allowing the peers to narrow down -the address range to their actual subnets fec1::/16 and fec2::/16, respectively. -These unilaterally proposed traffic selectors must be validated by corresponding IP address block constraints. +An IPv6 ESP tunnel connection between the gateways moon and sun is +successfully set up. It connects the two subnets hiding behind their respective +gateways. The authentication is based on X.509 certificates containing +RFC 3779 IP address block constraints. Both moon and sun set +rightsubnet=::/0 thus allowing the peers to narrow down the address range +to their actual subnets fec1::/16 and fec2::/16, respectively. +These unilaterally proposed traffic selectors must be validated by corresponding +IP address block constraints.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. +Upon the successful establishment of the IPsec tunnel, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both the net-to-net tunnel and the firewall rules, client alice behind +moon sends an IPv6 ICMP request to client bob behind sun +using the ping6 command. diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat index 3b0a3eeca..72dade743 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat @@ -1,9 +1,7 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 46b9ad415..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=fec1::0/16 - rightsubnet=0::0/0 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index 124e2ae46..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 -MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 -GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu -uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA -PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 -jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd -D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK -KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ -owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT -d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u -Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG -MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy -bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL -aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo -830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 -lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 -NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR -pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu -Mc/lk4Nl8pHRO+Xm ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 11607c8cb..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 -unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd -GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb -kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg -z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY -pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ -ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB -u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 -ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt -pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV -VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ -ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ -intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku -4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I -HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd -iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE -caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX -b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 -8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 -J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 -3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 -NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh -VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU -KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof -50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..11607c8cb --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..c172a2c13 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..124e2ae46 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u +Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG +MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy +bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 4a0f911a3..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - also=host-host - leftsubnet=fec2::0/16 - rightsubnet=0::0/0 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem deleted file mode 100644 index a93121da1..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 -MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu -Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 -oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf -pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw -ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 -Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd -0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd -bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud -DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj -Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 -IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz -d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo -dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww -RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR -AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu -7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p -nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg -oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx -k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD -yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug -NnBR3lf2HB2lWA== ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem deleted file mode 100644 index 55f5f8037..000000000 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS -dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV -eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 -dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid -gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah -tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn -d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB -J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 -6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD -cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 -SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB -BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG -KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 -iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg -zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 -7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE -ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 -Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 -lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU -7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 -yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT -1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX -uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ -dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ -QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem new file mode 100644 index 000000000..55f5f8037 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/rsa/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS +dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV +eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 +dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid +gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah +tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn +d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB +J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 +6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD +cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 +SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB +BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG +KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 +iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg +zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 +7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE +ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 +Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 +lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU +7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 +yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT +1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX +uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ +dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ +QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..68927c36d --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + net-net { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 000000000..a93121da1 --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 +MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 +oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf +pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw +ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 +Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd +0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd +bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud +DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj +Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz +d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww +RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR +AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu +7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p +nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg +oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx +k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD +yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug +NnBR3lf2HB2lWA== +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat index 078fca541..aec4aa7d0 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl alice::"ip route del fec2:\:/16 via fec1:\:1" moon::"ip route del fec2:\:/16 via fec0:\:2" sun::"ip route del fec1:\:/16 via fec0:\:1" diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat index a14b3cf79..2db7a27c2 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat @@ -6,8 +6,8 @@ alice::"ip route add fec2:\:/16 via fec1:\:1" moon::"ip route add fec2:\:/16 via fec0:\:2" sun::"ip route add fec1:\:/16 via fec0:\:1" bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net sun::expect-connection net-net -moon::ipsec up net-net +moon::swanctl --initiate --child net-net diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf index abade5bba..5906883b1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="alice moon winnetou sun bob" - + # Corresponding block diagram # DIAGRAM="a-m-w-s-b-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat index 8229b6254..eddc9bf97 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat @@ -1,14 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES -moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES -moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES # send two pings because the first is lost due to Path MTU Discovery between alice and moon carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES # reduce the size as the default is already larger than the threshold of 90 bytes carol::ping6 -c 1 -s 40 ip6-alice.strongswan.org::48 bytes from ip6-alice.strongswan.org::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index bd9a9e59f..000000000 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn home - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP6_MOON - rightsubnet=fec1::/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf index af5fa19ef..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..279eb3205 --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c4f9b5b5b..000000000 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - compress=yes - leftfirewall=yes - -conn rw - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf index 93f434598..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b15b952cc --- /dev/null +++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + ipcomp = yes + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat index fdaf44080..55b22dfde 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat index 3f6427f50..96a2d7d9e 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/pretest.dat @@ -6,8 +6,8 @@ carol::ip6tables-restore < /etc/ip6tables.rules moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-compress-ikev2/test.conf b/testing/tests/ipv6/rw-compress-ikev2/test.conf index 8098d4720..8eedcd9f9 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/test.conf +++ b/testing/tests/ipv6/rw-compress-ikev2/test.conf @@ -24,3 +24,7 @@ IPSECHOSTS="moon carol" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ikev1/description.txt b/testing/tests/ipv6/rw-ikev1/description.txt index 17461370e..c8549777d 100644 --- a/testing/tests/ipv6/rw-ikev1/description.txt +++ b/testing/tests/ipv6/rw-ikev1/description.txt @@ -1,7 +1,7 @@ The roadwarriors carol and dave set up an IPv6 connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPv6 ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave send an IPv6 ICMP request to the client alice behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat index 0e125b70e..1202a99d2 100644 --- a/testing/tests/ipv6/rw-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4bcfd19dd..000000000 --- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn home - left=PH_IP6_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf index 0835a1605..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..52970208b --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 125303638..000000000 --- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn home - left=PH_IP6_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c26ba5780 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 880b1b2e7..000000000 --- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn rw - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f72f9ef86 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev1/posttest.dat b/testing/tests/ipv6/rw-ikev1/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ikev1/pretest.dat b/testing/tests/ipv6/rw-ikev1/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-ikev1/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ikev1/test.conf b/testing/tests/ipv6/rw-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ikev1/test.conf +++ b/testing/tests/ipv6/rw-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ikev2/description.txt b/testing/tests/ipv6/rw-ikev2/description.txt index 17461370e..c8549777d 100644 --- a/testing/tests/ipv6/rw-ikev2/description.txt +++ b/testing/tests/ipv6/rw-ikev2/description.txt @@ -1,7 +1,7 @@ The roadwarriors carol and dave set up an IPv6 connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPv6 ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPv6 ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave send an IPv6 ICMP request to the client alice behind the gateway moon using the ping6 command. diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat index 0e125b70e..d5d5a6b1c 100644 --- a/testing/tests/ipv6/rw-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 21166b2d0..000000000 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5bfbe324d --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9513be833..000000000 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7fe33bf8f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 4bed27ec5..000000000 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b28e49e07 --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/rw-ikev2/posttest.dat b/testing/tests/ipv6/rw-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-ikev2/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ikev2/test.conf b/testing/tests/ipv6/rw-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ikev2/test.conf +++ b/testing/tests/ipv6/rw-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt index f9412611b..ce07226c5 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt @@ -1,10 +1,10 @@ -The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each -to gateway moon. The authentication is based on X.509 certificates. -Both carol and dave request a virtual IPv6 address from moon via -the IKEv1 mode config payload. +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel +connection each to gateway moon. The authentication is based on X.509 +certificates. Both carol and dave request a virtual IPv6 +address from moon via the IKEv1 mode config payload.

-Upon the successful establishment of the ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave send -an IPv6 ICMP request to the client alice behind the gateway moon -using the ping6 command. +Upon the successful establishment of the ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both carol and dave send an IPv6 ICMP +request to the client alice behind the gateway moon using the +ping6 command. diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat index f6dc9aa3e..78488871f 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8aba6f0b1..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fcf530ebe --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf deleted file mode 100644 index d0ff82c2d..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..51fb8d65c --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e77d7b608..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - rightsourceip=fec3::/120 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..72201edc0 --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = fec3::/120 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat index ebe5e2a80..d8d4bbbec 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat index e73bde487..9a756eb78 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat @@ -5,11 +5,11 @@ moon::ip6tables-restore < /etc/ip6tables.rules carol::ip6tables-restore < /etc/ip6tables.rules dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec3:\:/16 via fec1:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt index 237e6fa52..790427243 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt @@ -1,10 +1,10 @@ -The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each -to gateway moon. The authentication is based on X.509 certificates. -Both carol and dave request a virtual IPv6 address from moon via -the IKEv2 configuration payload. +The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel +connection each to gateway moon. The authentication is based on X.509 +certificates Both carol and dave request a virtual IPv6 address +from moon via the IKEv2 configuration payload.

-Upon the successful establishment of the ESP tunnels, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave send -an IPv6 ICMP request to the client alice behind the gateway moon -using the ping6 command. +Upon the successful establishment of the ESP tunnels, automatically inserted +ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both carol and dave send an IPv6 ICMP +request to the client alice behind the gateway moon using the +ping6 command. diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat index f6dc9aa3e..d0f2bac96 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 1ca1c6c26..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf index 9c9714a33..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1a9ed078f --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index bba2d96f7..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1fb687eaa --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0::0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 5ea245568..000000000 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - rightsourceip=fec3::/120 - auto=add diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6624bfb3e --- /dev/null +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = fec3::/120 + } +} diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat index ebe5e2a80..d8d4bbbec 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat index e73bde487..9a756eb78 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat @@ -5,11 +5,11 @@ moon::ip6tables-restore < /etc/ip6tables.rules carol::ip6tables-restore < /etc/ip6tables.rules dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec3:\:/16 via fec1:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-psk-ikev1/description.txt b/testing/tests/ipv6/rw-psk-ikev1/description.txt index 66fc09053..fd7369d8f 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/description.txt +++ b/testing/tests/ipv6/rw-psk-ikev1/description.txt @@ -1,7 +1,7 @@ -The roadwarriors carol and dave set up an IPv6 tunnel connection each +The roadwarriors carol and dave set up an IPv6 tunnel connection each to gateway moon. The authentication is based on distinct pre-shared keys and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts ip6tables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both -carol and dave send an IPv6 ICMP request to client alice -behind the gateway moon using the ping6 command. +automatically inserted ip6tables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to client alice behind the gateway moon using +the ping6 command. diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat index 16982a736..e92aa028d 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat @@ -1,13 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES + carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 47080139f..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - -conn home - left=PH_IP6_CAROL - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 2abcb4e0a..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..524530721 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::10 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf deleted file mode 100644 index c59d32a14..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - -conn home - left=PH_IP6_DAVE - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 2375cd559..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7e3cff4ff --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::20 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 7d32866b5..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - -conn rw - left=PH_IP6_MOON - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 88c418353..000000000 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..70c360ce7 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = psk + id = fec0::1 + } + remote { + auth = psk + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = fec0::10 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + + ike-dave { + id = fec0::20 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat index 93a96ec36..48cb77608 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat @@ -7,14 +7,14 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-psk-ikev1/test.conf b/testing/tests/ipv6/rw-psk-ikev1/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/test.conf +++ b/testing/tests/ipv6/rw-psk-ikev1/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-psk-ikev2/description.txt b/testing/tests/ipv6/rw-psk-ikev2/description.txt index 66fc09053..0bd1474a0 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/description.txt +++ b/testing/tests/ipv6/rw-psk-ikev2/description.txt @@ -1,7 +1,7 @@ -The roadwarriors carol and dave set up an IPv6 tunnel connection each +TThe roadwarriors carol and dave set up an IPv6 tunnel connection each to gateway moon. The authentication is based on distinct pre-shared keys and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, -leftfirewall=yes automatically inserts ip6tables-based firewall rules that -let pass the tunneled traffic. In order to test both tunnel and firewall, both -carol and dave send an IPv6 ICMP request to client alice -behind the gateway moon using the ping6 command. +automatically inserted ip6tables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave send +an IPv6 ICMP request to client alice behind the gateway moon using +the ping6 command. diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat index 16982a736..ce79801ec 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=4500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index eed683f72..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn home - left=PH_IP6_CAROL - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 2abcb4e0a..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6d1b0a61b --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::10 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 3b45adb0d..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn home - left=PH_IP6_DAVE - leftfirewall=yes - right=PH_IP6_MOON - rightsubnet=fec1::/16 - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 2375cd559..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8d848205b --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = psk + id = fec0::20 + } + remote { + auth = psk + id = fec0::1 + } + children { + home { + remote_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-moon { + id = fec0::1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f6c4c6ab9..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - authby=secret - -conn rw - left=PH_IP6_MOON - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 88c418353..000000000 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx - -PH_IP6_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf index 955514391..306228a75 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..df4170e96 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = psk + id = fec0::1 + } + remote { + auth = psk + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + ike-carol { + id = fec0::10 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + + ike-dave { + id = fec0::20 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat index 93a96ec36..48cb77608 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat @@ -7,14 +7,14 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-psk-ikev2/test.conf b/testing/tests/ipv6/rw-psk-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/test.conf +++ b/testing/tests/ipv6/rw-psk-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat index 551eae263..082416d60 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat @@ -1,18 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a2e054e13..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=0::0/0 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index bf8a4919d..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5 -MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3 -YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ -u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu -a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr -xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ -Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj -FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2 -g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3 -0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry -b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz -d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw -MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA -ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0 -atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl -mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT -FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/ -6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0 -9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index a75622149..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1 -XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++ -e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie -SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP -uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN -8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL -KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG -nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo -U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg -qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6 -MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO -zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU -0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb -/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8 -5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl -lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58 -gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w -ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB -Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi -jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4 -OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s -zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy -R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn -oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv -XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf index da170cb15..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..a75622149 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1 +XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++ +e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie +SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP +uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN +8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL +KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG +nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo +U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg +qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6 +MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO +zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU +0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb +/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8 +5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl +lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58 +gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w +ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB +Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi +jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4 +OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s +zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy +R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn +oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv +XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..54fb36da4 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::10 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..bf8a4919d --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5 +MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3 +YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ +u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu +a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr +xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ +Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj +FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2 +g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3 +0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw +MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA +ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0 +atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl +mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT +FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/ +6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0 +9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8d275e2bd..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn home - left=PH_IP6_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - rightsubnet=0::0/0 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 88ce01ed5..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5 -MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO -8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+ -OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz -eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4 -WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn -RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m -mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ -owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT -d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u -Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh -bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw -FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg -MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4 -TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t -U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU -IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe -5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2 -jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3 ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index f72970c4d..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx -EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR -cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8 -74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D -M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G -pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq -1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa -7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ -iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt -su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ -AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm -B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE -kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC -XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1 -VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z -/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU -CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf -552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG -XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi -o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ -NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2 -u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d -xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC -dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE -DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem new file mode 100644 index 000000000..f72970c4d --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/rsa/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx +EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR +cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8 +74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D +M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G +pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq +1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa +7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ +iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt +su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ +AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm +B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE +kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC +XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1 +VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z +/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU +CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf +552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG +XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi +o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ +NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2 +u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d +xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC +dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE +DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..098ba6db7 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = fec0::20 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 0::0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..88ce01ed5 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5 +MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO +8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+ +OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz +eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4 +WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn +RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m +mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u +Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh +bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw +FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg +MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4 +TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t +U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU +IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe +5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2 +jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3 +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 236302350..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/rfc3779/ - crluri=http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - -conn rw - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=fec1::/16 - leftfirewall=yes - right=%any - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 8e872d89f..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz -Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz -MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ -Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr -b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y -GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF -Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU -EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB -ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM -BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 -OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI -KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK -AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB -ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm -uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud -rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS -Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA -MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX -fN8iF5kHn7S+Nd9ZFlf3S1w= ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index 124e2ae46..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 -MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 -GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu -uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA -PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 -jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd -D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK -KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ -owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT -d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u -Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG -MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy -bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL -aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo -830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 -lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 -NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR -pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu -Mc/lk4Nl8pHRO+Xm ------END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 11607c8cb..000000000 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 -unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd -GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb -kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg -z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY -pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ -ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB -u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 -ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt -pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV -VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ -ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ -intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku -4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I -HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd -iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE -caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX -b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 -8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 -J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 -3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 -NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh -VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU -KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof -50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index 4fa0583ed..285350d7b 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..11607c8cb --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4edc8cd86 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = fec0::1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan_rfc3779.crl + } +} diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..124e2ae46 --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u +Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG +MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy +bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..8e872d89f --- /dev/null +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXTCCA0WgAwIBAgIJAPKv5keyTotGMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMz +Nzc5MR4wHAYDVQQDExVzdHJvbmdTd2FuIFJGQzM3NzkgQ0EwHhcNMDkxMjIzMTMz +MDUwWhcNMTkxMjIxMTMzMDUwWjBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +zP4z54hRFM3bg0WWxpa9yBh8CrloV8wWd3YQR9daJjErXdZfbnECZqoK5obWPkQJ +Cp2xGijnB5CDxvAdiFANgNxDeDuAD5jGzQALWVYgbhQ/y4qRw49IPs9k+Uf1OHVr +b3qP8uSvWEmb1SlAJ24PGChB8Y5NwJJzFY5P0TJI/Zg3zgbLTsbgiplImgi/ZG7Y +GE/DCb6UAzcRwE2y41U4ZVG86UW2ARnvOCXJZHdt16O3KzUJ78BA1IgMsNZs8cQF +Avg1ZAUJW6oMLXu2XCwKOKTwJxdA2wpYadus2KEY/UyVovHSpyBa/zzSDXsP01PU +EKNZhloVQVt9NX3MCUItfQIDAQABo4IBJDCCASAwEgYDVR0TAQH/BAgwBgEB/wIB +ATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFCF/p+s30KMLH6HcQgYeEV880hAUMIGM +BgNVHSMEgYQwgYGAFCF/p+s30KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3 +OTEeMBwGA1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwTwYI +KwYBBQUHAQcBAf8EQDA+MCgEAgABMCIwCgMDAAoBAwMACgIwDgMFAAoDAAEDBQAK +AwPoAwQAwKgAMBIEAgACMAwwCgMDBv7AAwMA/sIwDQYJKoZIhvcNAQELBQADggEB +ABXhehDhC9jLipmZbP9r2t8ARjIjeHUk5UIX3sW9pKlwuOiFy/oEmJD72LYSPDFm +uKK4NDAllhJWKw1KA1j1h1NxE6tEjQTpj9mizjULI6T1HPWyn5E93vqFIK71k4ud +rxZXyq7fPrXM2QVKHpiT1DlAcopGe92Vxo0qooYEXIHd6XwVftSIo/1bi08p8jZS +Oc+kjoOKkfqmBSKpqYzTtlbafdVOPBAEaTa3k516ks3bDQn3gtU+2ucNB3fIvVVA +MI2//EaIMBIXorpcnOU3ja0nYCAf9kHAybRpBObWt7OLKFHcSatdE9El4Ri3YeJX +fN8iF5kHn7S+Nd9ZFlf3S1w= +-----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat index 4e59395e3..59495fc46 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat index f60be3887..a8c8a7097 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat @@ -7,11 +7,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home dave::expect-connection home -carol::ipsec up home -dave::ipsec up home +carol::swanctl --initiate --child home +dave::swanctl --initiate --child home diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf index 69b0757fd..0f02a1a11 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/transport-ikev1/description.txt b/testing/tests/ipv6/transport-ikev1/description.txt index 2d54790aa..c464aa25b 100644 --- a/testing/tests/ipv6/transport-ikev1/description.txt +++ b/testing/tests/ipv6/transport-ikev1/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the protected traffic. In order to test both the transport connection -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP transport connection between the hosts moon and sun is +successfully set up. The authentication is based on X.509 certificates. Upon the +successful establishment of the IPsec SA, automatically inserted ip6tables-based +firewall rules let pass the protected traffic. In order to test both the transport +connection and the firewall rules, moon sends an IPv6 ICMP request to +sun using the ping6 command. diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat index 5ae9d2c12..736425d36 100644 --- a/testing/tests/ipv6/transport-ikev1/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat @@ -1,9 +1,7 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f2938f307..000000000 --- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..016d51707 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 9af8aa862..000000000 --- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - fragmentation=yes - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf index 02280ac2f..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} - fragment_size = 1024 +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..deee09d83 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 1 + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev1/posttest.dat b/testing/tests/ipv6/transport-ikev1/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/transport-ikev1/posttest.dat +++ b/testing/tests/ipv6/transport-ikev1/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/transport-ikev1/pretest.dat b/testing/tests/ipv6/transport-ikev1/pretest.dat index 46c015387..7ab42a1ce 100644 --- a/testing/tests/ipv6/transport-ikev1/pretest.dat +++ b/testing/tests/ipv6/transport-ikev1/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/ipv6/transport-ikev1/test.conf b/testing/tests/ipv6/transport-ikev1/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/transport-ikev1/test.conf +++ b/testing/tests/ipv6/transport-ikev1/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ipv6/transport-ikev2/description.txt b/testing/tests/ipv6/transport-ikev2/description.txt index 2d54790aa..c464aa25b 100644 --- a/testing/tests/ipv6/transport-ikev2/description.txt +++ b/testing/tests/ipv6/transport-ikev2/description.txt @@ -1,5 +1,6 @@ -An IPv6 ESP transport connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. Upon the successful establishment of -the IPsec SA, leftfirewall=yes automatically inserts ip6tables-based firewall -rules that let pass the protected traffic. In order to test both the transport connection -and the firewall rules, moon sends an IPv6 ICMP request to sun using the ping6 command. +An IPv6 ESP transport connection between the hosts moon and sun is +successfully set up. The authentication is based on X.509 certificates. Upon the +successful establishment of the IPsec SA, automatically inserted ip6tables-based +firewall rules let pass the protected traffic. In order to test both the transport +connection and the firewall rules, moon sends an IPv6 ICMP request to +sun using the ping6 command. diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat index 0dfba54ea..48ddcd069 100644 --- a/testing/tests/ipv6/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat @@ -1,10 +1,7 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES -moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf deleted file mode 100644 index a48b6cbc6..000000000 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - mobike=no - keyexchange=ikev2 - -conn host-host - left=PH_IP6_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=PH_IP6_SUN - rightid=@sun.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..2f06bbab4 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + host-host { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf deleted file mode 100644 index e80eb8101..000000000 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -ca strongswan - cacert=strongswanCert.pem - certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.strongswan.org/strongswan.crl - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - mobike=no - keyexchange=ikev2 - -conn host-host - left=PH_IP6_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - right=PH_IP6_MOON - rightid=@moon.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf index 3a52f0db6..15f8ad5bc 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - hash_and_url = yes - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..dc981a7a7 --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + host-host { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} diff --git a/testing/tests/ipv6/transport-ikev2/posttest.dat b/testing/tests/ipv6/transport-ikev2/posttest.dat index d3bebd0c6..c0ba6f672 100644 --- a/testing/tests/ipv6/transport-ikev2/posttest.dat +++ b/testing/tests/ipv6/transport-ikev2/posttest.dat @@ -1,5 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat index 46c015387..cb7fe951f 100644 --- a/testing/tests/ipv6/transport-ikev2/pretest.dat +++ b/testing/tests/ipv6/transport-ikev2/pretest.dat @@ -2,8 +2,8 @@ moon::iptables-restore < /etc/iptables.drop sun::iptables-restore < /etc/iptables.drop moon::ip6tables-restore < /etc/ip6tables.rules sun::ip6tables-restore < /etc/ip6tables.rules -moon::ipsec start -sun::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection host-host sun::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host diff --git a/testing/tests/ipv6/transport-ikev2/test.conf b/testing/tests/ipv6/transport-ikev2/test.conf index e1d17aa16..459baf2d9 100644 --- a/testing/tests/ipv6/transport-ikev2/test.conf +++ b/testing/tests/ipv6/transport-ikev2/test.conf @@ -6,7 +6,7 @@ # All guest instances that are required for this test # VIRTHOSTS="moon winnetou sun" - + # Corresponding block diagram # DIAGRAM="m-w-s-ip6.png" @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # IP protocol used by IPsec is IPv6 # IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/host2host-cert/evaltest.dat b/testing/tests/libipsec/host2host-cert/evaltest.dat index 77c2528ea..f482c558a 100644 --- a/testing/tests/libipsec/host2host-cert/evaltest.dat +++ b/testing/tests/libipsec/host2host-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32] +sun::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 6e8329a44..000000000 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf index c8897b084..7fac82eb7 100644 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no plugins { diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8f8b04029 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index becb97e04..000000000 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf index c8897b084..7fac82eb7 100644 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no plugins { diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a0739647c --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/host2host-cert/posttest.dat b/testing/tests/libipsec/host2host-cert/posttest.dat index 8b6052f38..23ebee582 100644 --- a/testing/tests/libipsec/host2host-cert/posttest.dat +++ b/testing/tests/libipsec/host2host-cert/posttest.dat @@ -1,5 +1,6 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::sysctl --pattern net.ipv4.conf.all.rp_filter --system diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat index 35c0f3e1c..00e5c199f 100644 --- a/testing/tests/libipsec/host2host-cert/pretest.dat +++ b/testing/tests/libipsec/host2host-cert/pretest.dat @@ -2,8 +2,8 @@ moon::sysctl -w net.ipv4.conf.all.rp_filter=2 sun::sysctl -w net.ipv4.conf.all.rp_filter=2 moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection host-host moon::expect-connection host-host -moon::ipsec up host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/libipsec/host2host-cert/test.conf b/testing/tests/libipsec/host2host-cert/test.conf index 9647dc6a2..52d886dcc 100644 --- a/testing/tests/libipsec/host2host-cert/test.conf +++ b/testing/tests/libipsec/host2host-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat index 9365a8f44..36c0ee781 100644 --- a/testing/tests/libipsec/net2net-3des/evaltest.dat +++ b/testing/tests/libipsec/net2net-3des/evaltest.dat @@ -1,11 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES -sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES -sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 141b4a3ed..000000000 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp2048! - esp=3des-sha1-modp2048! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf index 467da3ac9..2d6b814dd 100644 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fe2a4dd75 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 0108a04a3..000000000 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp2048! - esp=3des-sha1-modp2048! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf index 467da3ac9..2d6b814dd 100644 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..54c35b3e1 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + mobike = no + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/libipsec/net2net-3des/posttest.dat b/testing/tests/libipsec/net2net-3des/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-3des/posttest.dat +++ b/testing/tests/libipsec/net2net-3des/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-3des/pretest.dat +++ b/testing/tests/libipsec/net2net-3des/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-3des/test.conf b/testing/tests/libipsec/net2net-3des/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-3des/test.conf +++ b/testing/tests/libipsec/net2net-3des/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert-ipv6/description.txt b/testing/tests/libipsec/net2net-cert-ipv6/description.txt new file mode 100644 index 000000000..ab582c3a5 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/description.txt @@ -0,0 +1,14 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. +

+This scenario is mainly to test how fragmented IPv6 packets are handled (e.g. determining +the protocol via IPv6 extension headers). Three pings are required due to PMTUD, the first +is rejected by moon, so alice adjusts the MTU. The second gets through, +but the response is rejected by sun, so bob will adjust the MTU. The third +finally is successful. diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat new file mode 100644 index 000000000..e9a30b9ac --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat @@ -0,0 +1,5 @@ +alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..6870d32fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..586cc57c1 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16[ipv6-icmp] + remote_ts = fec2::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown new file mode 100755 index 000000000..e7c3640d4 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown @@ -0,0 +1,597 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..6870d32fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..74977608d --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16[ipv6-icmp] + remote_ts = fec1::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown new file mode 100755 index 000000000..e7c3640d4 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown @@ -0,0 +1,597 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat b/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat new file mode 100644 index 000000000..8cbf20027 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat @@ -0,0 +1,9 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat b/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat new file mode 100644 index 000000000..20aca8291 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert-ipv6/test.conf b/testing/tests/libipsec/net2net-cert-ipv6/test.conf new file mode 100644 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/libipsec/net2net-cert-ipv6/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat index e489fec64..5364c1e82 100644 --- a/testing/tests/libipsec/net2net-cert/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 631adfcd3..000000000 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf index fa7c0ece2..e6a98b407 100644 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..239b7a4fe --- /dev/null +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf deleted file mode 100644 index b16440aa1..000000000 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf index fa7c0ece2..e6a98b407 100644 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..75b1c46f1 --- /dev/null +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/libipsec/net2net-cert/posttest.dat b/testing/tests/libipsec/net2net-cert/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-cert/posttest.dat +++ b/testing/tests/libipsec/net2net-cert/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-cert/pretest.dat +++ b/testing/tests/libipsec/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-cert/test.conf b/testing/tests/libipsec/net2net-cert/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-cert/test.conf +++ b/testing/tests/libipsec/net2net-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat index c1aae4032..af619f4b8 100644 --- a/testing/tests/libipsec/net2net-null/evaltest.dat +++ b/testing/tests/libipsec/net2net-null/evaltest.dat @@ -1,11 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES -sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES -sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=NULL integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=NULL integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=NULL integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f206a16fb..000000000 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=null-sha256-modp3072! - esp=null-sha256-modp3072! - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf index 2beff1b76..9e2091f31 100644 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 revocation openssl curl vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..15b978249 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = null-sha256-modp3072 + } + } + version = 2 + mobike = no + proposals = null-sha256-modp3072 + } +} diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 21b116595..000000000 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=null-sha256-modp3072! - esp=null-sha256-modp3072! - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf index 2beff1b76..9e2091f31 100644 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf @@ -1,6 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 revocation openssl curl vici kernel-libipsec kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..df65eb085 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + esp_proposals = null-sha256-modp3072 + } + } + version = 2 + mobike = no + proposals = null-sha256-modp3072 + } +} diff --git a/testing/tests/libipsec/net2net-null/posttest.dat b/testing/tests/libipsec/net2net-null/posttest.dat index 1f7aa73a1..755f0e5f8 100644 --- a/testing/tests/libipsec/net2net-null/posttest.dat +++ b/testing/tests/libipsec/net2net-null/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -sun::ipsec stop +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-null/pretest.dat b/testing/tests/libipsec/net2net-null/pretest.dat index bcc2cb04d..9440ddab0 100644 --- a/testing/tests/libipsec/net2net-null/pretest.dat +++ b/testing/tests/libipsec/net2net-null/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -sun::expect-connection net-net -moon::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/libipsec/net2net-null/test.conf b/testing/tests/libipsec/net2net-null/test.conf index 646b8b3e6..07a3b247a 100644 --- a/testing/tests/libipsec/net2net-null/test.conf +++ b/testing/tests/libipsec/net2net-null/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt deleted file mode 100644 index a1b09405a..000000000 --- a/testing/tests/libipsec/rw-suite-b/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on Suite B with 128 bit security based on X.509 ECDSA -certificates, ECP Diffie-Hellman groups and AES-GCM authenticated encryption. -The kernel-libipsec plugin is used for userland IPsec AES-GCM authenticated ESP -encryption. -

-Upon the successful establishment of the IPsec tunnel, an updown script automatically -inserts iptables-based firewall rules that let pass the traffic tunneled via the ipsec0 -tun interface. In order to test both tunnel and firewall, carol and dave ping -the client alice behind the gateway moon. diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat deleted file mode 100644 index 487a21c57..000000000 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > carol.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP dave.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > dave.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8106e28d2..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index a85635faf..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj -BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME -GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5 -nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR -Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49 -hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index d29ddb9ee..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49 -AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B -rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 3d6725162..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9b6ca682a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index c83be145d..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh -RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c -CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3 -45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi -gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 17e94022e..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49 -AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO -gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf deleted file mode 100644 index abb34ac91..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="knl 3, esp 3" - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=%any - rightsourceip=10.3.0.0/24 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a3b043e82..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq -/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C -DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6 -Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl -RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 5bd2778a9..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49 -AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP -3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d68b6e57a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/libipsec/rw-suite-b/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat deleted file mode 100644 index e87a8ee47..000000000 --- a/testing/tests/libipsec/rw-suite-b/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/libipsec/rw-suite-b/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index c8f63bced..ee8cbcdef 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index f2c60511b..f5b116b3b 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -3,4 +3,9 @@ charon { load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 28a5cad31..2236a5f71 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="tls 2" - conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 7af4b4e37..4aa2068f4 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -3,6 +3,11 @@ charon { load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } } libtls { diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf index dcd98b4de..ec3daa00a 100644 --- a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf @@ -1,8 +1,5 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -config setup - charondebug="knl 2" - conn %default ikelifetime=60m lifetime=10s diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf index 4234eb134..855ba919d 100644 --- a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf @@ -4,4 +4,9 @@ charon { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown # remove rekeyed inbound SA a bit quicker for the test scenario delete_rekeyed_delay = 2 + syslog { + daemon { + knl = 2 + } + } } diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat index a105fc040..cf289abd0 100644 --- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat +++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat @@ -12,8 +12,8 @@ moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES -moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*60m.*2::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db-expired/posttest.dat +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat index 068d72917..f8b710495 100644 --- a/testing/tests/sql/ip-pool-db-expired/pretest.dat +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -5,12 +5,15 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db-restart/posttest.dat +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat index 374693e36..e918fc238 100644 --- a/testing/tests/sql/ip-pool-db-restart/pretest.dat +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -5,12 +5,15 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/ip-pool-db/posttest.dat +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/ip-pool-db/pretest.dat +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat index b257564dc..ea0241af0 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat index d0c7b9c76..084bcd2f4 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -6,9 +6,12 @@ carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec pool --leases 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat index b257564dc..ea0241af0 100644 --- a/testing/tests/sql/ip-split-pools-db/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat index e1f0c22ae..94df5b360 100644 --- a/testing/tests/sql/ip-split-pools-db/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -5,9 +5,12 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/multi-level-ca/posttest.dat +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/multi-level-ca/pretest.dat +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-cert/posttest.dat +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat index 6580e7604..dd91c3859 100644 --- a/testing/tests/sql/net2net-cert/pretest.dat +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::expect-connection net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection net-net sun::expect-connection net-net moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-psk/posttest.dat +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat index 6580e7604..dd91c3859 100644 --- a/testing/tests/sql/net2net-psk/pretest.dat +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::expect-connection net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection net-net sun::expect-connection net-net moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-route-pem/posttest.dat +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat index 576bd6738..614109c91 100644 --- a/testing/tests/sql/net2net-route-pem/pretest.dat +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection net-net alice::ping -c 1 -W 1 10.2.0.10 bob::ping -c 1 -W 1 10.1.0.20 diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat index 59badb867..8b792b878 100644 --- a/testing/tests/sql/net2net-start-pem/posttest.dat +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat index 8fc6d1a1c..f5eef5528 100644 --- a/testing/tests/sql/net2net-start-pem/pretest.dat +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl sun::expect-connection net-net -moon::service charon start 2> /dev/null -moon::sleep 4 +moon::systemctl start strongswan-swanctl +moon::sleep 4 diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-cert/posttest.dat +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-cert/pretest.dat +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat index d964629a2..3b1742150 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat @@ -2,10 +2,12 @@ moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap-aka carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-psk-ipv4/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-psk-ipv4/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat index 3f82576b6..8248b2d4d 100644 --- a/testing/tests/sql/rw-psk-ipv6/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat index 60a1055a2..0659eabbc 100644 --- a/testing/tests/sql/rw-psk-ipv6/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -4,6 +4,9 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules @@ -13,9 +16,9 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-rsa-keyid/posttest.dat +++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-rsa-keyid/pretest.dat +++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/sql/rw-rsa/posttest.dat +++ b/testing/tests/sql/rw-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat index 4d89bed3e..01a7fdff3 100644 --- a/testing/tests/sql/rw-rsa/pretest.dat +++ b/testing/tests/sql/rw-rsa/pretest.dat @@ -4,12 +4,15 @@ dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ips moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat index b02b19357..f66c5c57c 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -alice::service charon stop 2> /dev/null -venus::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat index 8d61e4c87..d95028998 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat @@ -4,12 +4,15 @@ sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipse alice::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db venus::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +alice::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +venus::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::service charon start 2> /dev/null -alice::service charon start 2> /dev/null -venus::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl sun::expect-connection nat-t alice::expect-connection nat-t alice::swanctl --initiate --child nat-t 2> /dev/null diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf index ff6e7193e..ad4c18e43 100755 --- a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/config-payload/posttest.dat b/testing/tests/swanctl/config-payload/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/config-payload/posttest.dat +++ b/testing/tests/swanctl/config-payload/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/config-payload/pretest.dat b/testing/tests/swanctl/config-payload/pretest.dat index 9c281d032..706c08b5f 100755 --- a/testing/tests/swanctl/config-payload/pretest.dat +++ b/testing/tests/swanctl/config-payload/pretest.dat @@ -2,9 +2,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::cat /etc/swanctl/swanctl_base.conf -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-carol carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf index 61ff4005b..48e34abba 100644 --- a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf index 61ff4005b..48e34abba 100644 --- a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - cache_crls = yes } diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/swanctl/crl-to-cache/posttest.dat index 210685a90..58dfa27b8 100644 --- a/testing/tests/swanctl/crl-to-cache/posttest.dat +++ b/testing/tests/swanctl/crl-to-cache/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/x509crl/* carol::rm /etc/swanctl/x509crl/* diff --git a/testing/tests/swanctl/crl-to-cache/pretest.dat b/testing/tests/swanctl/crl-to-cache/pretest.dat index 8f72f9cc7..b9e2a8eee 100644 --- a/testing/tests/swanctl/crl-to-cache/pretest.dat +++ b/testing/tests/swanctl/crl-to-cache/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf index dda67e0fc..9932df379 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf index dda67e0fc..9932df379 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf index 1f1e0a652..c00d3dc4b 100755 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -4,14 +4,9 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat index 87e731511..37e8b02d8 100644 --- a/testing/tests/swanctl/dhcp-dynamic/posttest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl venus::cat /var/state/dhcp/dhcpd.leases venus::server isc-dhcp-server stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/dhcp-dynamic/pretest.dat b/testing/tests/swanctl/dhcp-dynamic/pretest.dat index fd3d1bf5b..ace13851a 100644 --- a/testing/tests/swanctl/dhcp-dynamic/pretest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/pretest.dat @@ -3,9 +3,9 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules venus::cat /etc/dhcp/dhcpd.conf venus::service isc-dhcp-server start 2> /dev/null -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf index 2a7eaaa15..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/frags-ipv4/posttest.dat b/testing/tests/swanctl/frags-ipv4/posttest.dat index 17e36599c..2b4cc0c1a 100755 --- a/testing/tests/swanctl/frags-ipv4/posttest.dat +++ b/testing/tests/swanctl/frags-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/frags-ipv4/pretest.dat b/testing/tests/swanctl/frags-ipv4/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/frags-ipv4/pretest.dat +++ b/testing/tests/swanctl/frags-ipv4/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf index f9c0ace55..6081084f7 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici fragment_size = 1400 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auth = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/frags-ipv6/posttest.dat b/testing/tests/swanctl/frags-ipv6/posttest.dat index 39b16a9be..07434159c 100755 --- a/testing/tests/swanctl/frags-ipv6/posttest.dat +++ b/testing/tests/swanctl/frags-ipv6/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/frags-ipv6/pretest.dat b/testing/tests/swanctl/frags-ipv6/pretest.dat index 9593ac9f8..131ec9937 100755 --- a/testing/tests/swanctl/frags-ipv6/pretest.dat +++ b/testing/tests/swanctl/frags-ipv6/pretest.dat @@ -7,9 +7,9 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf index 11b1576e4..886b31f9b 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf index be90bde25..886b31f9b 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf index 885d986c3..31cf56d24 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici plugins { attr-sql { @@ -21,4 +16,5 @@ charon { pool { load = sqlite + database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/swanctl/ip-pool-db/posttest.dat b/testing/tests/swanctl/ip-pool-db/posttest.dat index 2644b3941..9767f38a5 100755 --- a/testing/tests/swanctl/ip-pool-db/posttest.dat +++ b/testing/tests/swanctl/ip-pool-db/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat index 955a3c9be..9573581df 100755 --- a/testing/tests/swanctl/ip-pool-db/pretest.dat +++ b/testing/tests/swanctl/ip-pool-db/pretest.dat @@ -7,9 +7,9 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf index 67e5a616a..ad4c18e43 100755 --- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/ip-pool/posttest.dat b/testing/tests/swanctl/ip-pool/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/ip-pool/posttest.dat +++ b/testing/tests/swanctl/ip-pool/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/swanctl/ip-pool/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/ip-pool/pretest.dat +++ b/testing/tests/swanctl/ip-pool/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/manual-prio/posttest.dat b/testing/tests/swanctl/manual-prio/posttest.dat index fd9726374..c9dcaa167 100755 --- a/testing/tests/swanctl/manual-prio/posttest.dat +++ b/testing/tests/swanctl/manual-prio/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/swanctl/manual-prio/pretest.dat b/testing/tests/swanctl/manual-prio/pretest.dat index 8613a0189..ba345ffea 100755 --- a/testing/tests/swanctl/manual-prio/pretest.dat +++ b/testing/tests/swanctl/manual-prio/pretest.dat @@ -1,9 +1,9 @@ winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 carol::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 7e2ee002e..54b79b35d 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 7e2ee002e..54b79b35d 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf index 40b0c5962..b18ba6809 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat index 25354d363..010a4f9c4 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat index a6909c89f..57d39a5e6 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat @@ -5,9 +5,9 @@ alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat alice::radiusd -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf index 7c5aca6bf..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf index 7c5aca6bf..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/multi-level-ca/posttest.dat b/testing/tests/swanctl/multi-level-ca/posttest.dat index acac04a3b..53013d08d 100644 --- a/testing/tests/swanctl/multi-level-ca/posttest.dat +++ b/testing/tests/swanctl/multi-level-ca/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null -carol::rm -r /etc/swanctl -dave::rm -r /etc/swanctl -moon::rm -r /etc/swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/multi-level-ca/pretest.dat b/testing/tests/swanctl/multi-level-ca/pretest.dat index 4c1be2e14..e7f2ef179 100644 --- a/testing/tests/swanctl/multi-level-ca/pretest.dat +++ b/testing/tests/swanctl/multi-level-ca/pretest.dat @@ -1,6 +1,6 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection research carol::expect-connection alice carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-cert/posttest.dat b/testing/tests/swanctl/net2net-cert/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-cert/posttest.dat +++ b/testing/tests/swanctl/net2net-cert/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/swanctl/net2net-cert/pretest.dat index b128bef44..9440ddab0 100755 --- a/testing/tests/swanctl/net2net-cert/pretest.dat +++ b/testing/tests/swanctl/net2net-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf index d766a705c..a35aea01c 100755 --- a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -1,22 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - default = 1 - } - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf index d766a705c..a35aea01c 100755 --- a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -1,22 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - default = 1 - } - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-ed25519/posttest.dat b/testing/tests/swanctl/net2net-ed25519/posttest.dat index 8d47767a0..30f6ede76 100755 --- a/testing/tests/swanctl/net2net-ed25519/posttest.dat +++ b/testing/tests/swanctl/net2net-ed25519/posttest.dat @@ -1,6 +1,6 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/swanctl/net2net-ed25519/pretest.dat b/testing/tests/swanctl/net2net-ed25519/pretest.dat index f939b3ac4..410253e54 100755 --- a/testing/tests/swanctl/net2net-ed25519/pretest.dat +++ b/testing/tests/swanctl/net2net-ed25519/pretest.dat @@ -2,8 +2,8 @@ moon::rm /etc/swanctl/rsa/moonKey.pem sun::rm /etc/swanctl/rsa/sunKey.pem moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf index 4f54f610a..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-gw/posttest.dat b/testing/tests/swanctl/net2net-gw/posttest.dat index 94914f832..b29cf321e 100755 --- a/testing/tests/swanctl/net2net-gw/posttest.dat +++ b/testing/tests/swanctl/net2net-gw/posttest.dat @@ -1,8 +1,8 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null sun::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null -carol::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-gw/pretest.dat b/testing/tests/swanctl/net2net-gw/pretest.dat index e3136491c..acfd0e95e 100755 --- a/testing/tests/swanctl/net2net-gw/pretest.dat +++ b/testing/tests/swanctl/net2net-gw/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl carol::expect-connection gw-moon carol::expect-connection gw-sun moon::expect-connection gw-gw diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf index 2ff6ac024..812c12bf9 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf @@ -4,15 +4,11 @@ swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf index b119e8274..1c5da7b88 100644 --- a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf @@ -1,14 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - multiple_authentication = no + plugins { forecast { groups = 224.0.0.251 diff --git a/testing/tests/swanctl/net2net-multicast/posttest.dat b/testing/tests/swanctl/net2net-multicast/posttest.dat index ba484f90d..dc6949dbb 100644 --- a/testing/tests/swanctl/net2net-multicast/posttest.dat +++ b/testing/tests/swanctl/net2net-multicast/posttest.dat @@ -1,3 +1,3 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/net2net-multicast/pretest.dat b/testing/tests/swanctl/net2net-multicast/pretest.dat index 5b8d98879..c5b1bdbfd 100644 --- a/testing/tests/swanctl/net2net-multicast/pretest.dat +++ b/testing/tests/swanctl/net2net-multicast/pretest.dat @@ -1,7 +1,7 @@ moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf index 531e286ce..29e75f7b8 100644 --- a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf index 531e286ce..29e75f7b8 100644 --- a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-pubkey/posttest.dat b/testing/tests/swanctl/net2net-pubkey/posttest.dat index c2227a5dd..a8696960d 100644 --- a/testing/tests/swanctl/net2net-pubkey/posttest.dat +++ b/testing/tests/swanctl/net2net-pubkey/posttest.dat @@ -1,6 +1,6 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/net2net-pubkey/pretest.dat b/testing/tests/swanctl/net2net-pubkey/pretest.dat index b4f48af72..021675bc5 100644 --- a/testing/tests/swanctl/net2net-pubkey/pretest.dat +++ b/testing/tests/swanctl/net2net-pubkey/pretest.dat @@ -2,8 +2,8 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules sun::cd /etc/swanctl; rm x509/* x509ca/* moon::cd /etc/swanctl; rm x509/* x509ca/* -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl sun::expect-connection gw-gw moon::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf index 9d7fa51d4..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf index 4ca179a5f..61d2bd9e4 100755 --- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-route/posttest.dat b/testing/tests/swanctl/net2net-route/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-route/posttest.dat +++ b/testing/tests/swanctl/net2net-route/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat index 459879bbc..fa303b64e 100755 --- a/testing/tests/swanctl/net2net-route/pretest.dat +++ b/testing/tests/swanctl/net2net-route/pretest.dat @@ -1,7 +1,7 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl sun::expect-connection gw-gw moon::expect-connection gw-gw alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf index f102eeeae..73bb5f6b3 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf index f102eeeae..73bb5f6b3 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat index b128bef44..9440ddab0 100755 --- a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl moon::expect-connection gw-gw sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf index 1f367c2a0..ad4c18e43 100755 --- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/net2net-start/posttest.dat b/testing/tests/swanctl/net2net-start/posttest.dat index 30d10b555..755f0e5f8 100755 --- a/testing/tests/swanctl/net2net-start/posttest.dat +++ b/testing/tests/swanctl/net2net-start/posttest.dat @@ -1,5 +1,5 @@ moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/swanctl/net2net-start/pretest.dat index 6c1783b74..681293753 100755 --- a/testing/tests/swanctl/net2net-start/pretest.dat +++ b/testing/tests/swanctl/net2net-start/pretest.dat @@ -1,5 +1,5 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules -sun::service charon start 2> /dev/null -moon::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl moon::sleep 0.5 diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf index e3eb4e36d..79b138bd5 100644 --- a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auths = /usr/local/sbin/swanctl --load-authorities - } plugins { revocation { enable_ocsp = no } - } + } } diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf index 3912f5e07..2e78d2279 100644 --- a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf @@ -1,12 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { revocation { enable_ocsp = no diff --git a/testing/tests/swanctl/ocsp-disabled/posttest.dat b/testing/tests/swanctl/ocsp-disabled/posttest.dat index 672f4188c..f13bb51b0 100644 --- a/testing/tests/swanctl/ocsp-disabled/posttest.dat +++ b/testing/tests/swanctl/ocsp-disabled/posttest.dat @@ -1,3 +1,3 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/ocsp-disabled/pretest.dat b/testing/tests/swanctl/ocsp-disabled/pretest.dat index e6d60458d..864909e24 100644 --- a/testing/tests/swanctl/ocsp-disabled/pretest.dat +++ b/testing/tests/swanctl/ocsp-disabled/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf index acf2151a9..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf index 6d368f08b..f3b571a1b 100644 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -1,15 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-multi-level/posttest.dat b/testing/tests/swanctl/ocsp-multi-level/posttest.dat index acac04a3b..53013d08d 100644 --- a/testing/tests/swanctl/ocsp-multi-level/posttest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home 2> /dev/null dave::swanctl --terminate --ike home 2> /dev/null -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null -carol::rm -r /etc/swanctl -dave::rm -r /etc/swanctl -moon::rm -r /etc/swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* +moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/* diff --git a/testing/tests/swanctl/ocsp-multi-level/pretest.dat b/testing/tests/swanctl/ocsp-multi-level/pretest.dat index 7b83e219d..505f17572 100644 --- a/testing/tests/swanctl/ocsp-multi-level/pretest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/pretest.dat @@ -1,6 +1,6 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection research carol::expect-connection home carol::swanctl --initiate --child alice 2> /dev/null diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf index 9ea516013..c7b494ddc 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - auths = /usr/local/sbin/swanctl --load-authorities - } } diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf index 9ba617c0a..d9c31430b 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat index 672f4188c..f13bb51b0 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat +++ b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat @@ -1,3 +1,3 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl diff --git a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat index e6d60458d..864909e24 100644 --- a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat +++ b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-dual/posttest.dat b/testing/tests/swanctl/protoport-dual/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/protoport-dual/posttest.dat +++ b/testing/tests/swanctl/protoport-dual/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-dual/pretest.dat b/testing/tests/swanctl/protoport-dual/pretest.dat index 87ee29bf6..2bdc109ab 100644 --- a/testing/tests/swanctl/protoport-dual/pretest.dat +++ b/testing/tests/swanctl/protoport-dual/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection icmp moon::expect-connection ssh carol::expect-connection icmp diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf index 383a24213..91e32f7ba 100644 --- a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/protoport-range/posttest.dat b/testing/tests/swanctl/protoport-range/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/protoport-range/posttest.dat +++ b/testing/tests/swanctl/protoport-range/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-range/pretest.dat b/testing/tests/swanctl/protoport-range/pretest.dat index b45d4b3c6..7f38b7662 100644 --- a/testing/tests/swanctl/protoport-range/pretest.dat +++ b/testing/tests/swanctl/protoport-range/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection icmp-req moon::expect-connection icmp-rep moon::expect-connection ftp-ssh diff --git a/testing/tests/swanctl/rw-cert-pss/description.txt b/testing/tests/swanctl/rw-cert-pss/description.txt new file mode 100755 index 000000000..41c02b519 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates +and IKEv2 AUTH payloads based on RSA-PSS signatures. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat new file mode 100755 index 000000000..a62fda968 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..3a9630fc1 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..1454ec54c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F + +1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b +/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ +/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o +Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ +f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 +LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv +06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC +e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr +3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC +sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily +c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy +UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h +XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T +iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO +Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO +v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO +t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H +8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA +jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p +p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS +7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk +GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ +4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 +yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd ++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7aceb6913 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha512 + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..3a9630fc1 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4c7c177ed --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = rsa/pss-sha384 + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..4bd975a00 --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici + + rsa_pss = yes + + syslog { + daemon { + default = 1 + } + auth { + default = 0 + } + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4ba02ad6c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-cert-pss/posttest.dat b/testing/tests/swanctl/rw-cert-pss/posttest.dat new file mode 100755 index 000000000..b909ac76c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-cert-pss/pretest.dat b/testing/tests/swanctl/rw-cert-pss/pretest.dat new file mode 100755 index 000000000..dd1a17ccb --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-cert-pss/test.conf b/testing/tests/swanctl/rw-cert-pss/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-cert-pss/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf index 909bca0fc..b415e075c 100755 --- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-cert/posttest.dat b/testing/tests/swanctl/rw-cert/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-cert/posttest.dat +++ b/testing/tests/swanctl/rw-cert/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/swanctl/rw-cert/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-cert/pretest.dat +++ b/testing/tests/swanctl/rw-cert/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf index ec6625370..6339790cd 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { ipseckey { enable = yes diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf index ec6625370..6339790cd 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - plugins { ipseckey { enable = yes diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf index dcca175db..617b812d5 100644 --- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS diff --git a/testing/tests/swanctl/rw-dnssec/posttest.dat b/testing/tests/swanctl/rw-dnssec/posttest.dat index 48a4abe78..dba97a988 100644 --- a/testing/tests/swanctl/rw-dnssec/posttest.dat +++ b/testing/tests/swanctl/rw-dnssec/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-dnssec/pretest.dat b/testing/tests/swanctl/rw-dnssec/pretest.dat index 5faf602fc..ca44e08fc 100644 --- a/testing/tests/swanctl/rw-dnssec/pretest.dat +++ b/testing/tests/swanctl/rw-dnssec/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf index dd99cdbf9..653488a66 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-simaka-sql { database = sqlite:///etc/ipsec.d/ipsec.db diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf index dd99cdbf9..653488a66 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-simaka-sql { database = sqlite:///etc/ipsec.d/ipsec.db diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat index 3842250e6..2fa2d200d 100644 --- a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat @@ -3,8 +3,8 @@ carol::iptables-restore < /etc/iptables.rules carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db carol::cd /etc/swanctl; rm rsa/* x509/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf index 4b8e68e6d..d2cc789b3 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf index 4b8e68e6d..d2cc789b3 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat index 2fc2bbb75..2b00bea8e 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat @@ -1,5 +1,5 @@ carol::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat index 96c1ed114..8cc1c4dc5 100644 --- a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules carol::cd /etc/swanctl; rm rsa/* x509/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-eap carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf index 14afb43a1..cae0025f6 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } libtls { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf index 14afb43a1..cae0025f6 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf @@ -1,16 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } libtls { diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf index c090d6853..9c4e819c5 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf index d58694c38..90f42a1c5 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - auths = /usr/local/sbin/swanctl --load-authorities - conns = /usr/local/sbin/swanctl --load-conns - } - hash_and_url = yes } diff --git a/testing/tests/swanctl/rw-hash-and-url/posttest.dat b/testing/tests/swanctl/rw-hash-and-url/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-hash-and-url/posttest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-hash-and-url/pretest.dat b/testing/tests/swanctl/rw-hash-and-url/pretest.dat index 762c35418..dd1a17ccb 100755 --- a/testing/tests/swanctl/rw-hash-and-url/pretest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf index 22b318472..b8874523b 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf index a55b90a5d..c2b18d966 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce des sha1 sha2 hmac pkcs1 pem x509 revocation gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf index e7b5caaf8..85354251d 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf @@ -1,23 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { +charon-systemd { load = random nonce aes des sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat index 37029c074..dc541004d 100755 --- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat +++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net-1 moon::expect-connection net-2 carol::expect-connection home diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf index 6bfef3d39..16dcf16a1 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf @@ -1,17 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf index 1d90adb5d..475705026 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf @@ -1,17 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { - load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici +charon-systemd { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf index d4e3ca2e5..16dcf16a1 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf @@ -1,18 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random + load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random } -charon { +charon-systemd { load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat +++ b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat index a550a2f6d..7772b25eb 100755 --- a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat +++ b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index b158ccdb3..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index b158ccdb3..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,13 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index c6dd6be45..d655720cf 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,14 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat index 58d5b8675..84935ec51 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat +++ b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat index a550a2f6d..7772b25eb 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat +++ b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf index 335f38995..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/posttest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat index 519b168ae..48849c8b0 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf index e539ea5f4..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf index 02f6c1b36..a12456f26 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf index c42979965..f196d2431 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -4,20 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 gmp kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } - daemon { - cfg = 1 - ike = 1 - } - } } diff --git a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat index 3393f516d..51c301923 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection net-1 moon::expect-connection net-2 carol::expect-connection home diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 53973cf61..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf index 53973cf61..dcef959ef 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 5efaed621..0325fe9a2 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -4,11 +4,6 @@ swanctl { load = random openssl } -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat index d7107ccc6..b909ac76c 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/posttest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat index 519b168ae..48849c8b0 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf index 720e903c9..6b99d98a9 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat index 48a4abe78..dba97a988 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat +++ b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat index 5faf602fc..ca44e08fc 100755 --- a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat +++ b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf index dc166b588..331d5bc94 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 pubkey openssl random + load = pem pkcs1 pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf index 720e903c9..6b99d98a9 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf @@ -1,14 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random + load = pem pkcs1 x509 revocation constraints pubkey openssl random } -charon { - load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } +charon-systemd { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici } diff --git a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat index 48a4abe78..dba97a988 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat +++ b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::rm /etc/swanctl/pubkey/* carol::rm /etc/swanctl/pubkey/* dave::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat index de43d510d..e0ca17a4c 100755 --- a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat +++ b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat @@ -5,9 +5,9 @@ moon::cd /etc/swanctl; rm x509/* x509ca/* carol::cd /etc/swanctl; rm x509/* x509ca/* dave::cd /etc/swanctl; rm x509/* x509ca/* moon::cat /etc/swanctl/swanctl_base.conf -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-carol carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf index ee5b26120..bf799a29b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf index e5c0136d8..91e32f7ba 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - pools = /usr/local/sbin/swanctl --load-pools - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf index ee5b26120..bf799a29b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -1,11 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } keep_alive = 5 } diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat index b02b19357..f66c5c57c 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -alice::service charon stop 2> /dev/null -venus::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat index d6bc0709e..e871fba2b 100644 --- a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat @@ -1,9 +1,9 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::service charon start 2> /dev/null -alice::service charon start 2> /dev/null -venus::service charon start 2> /dev/null +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl sun::expect-connection nat-t alice::expect-connection nat-t venus::expect-connection nat-t diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf index 2976558fc..fccc73f22 100644 --- a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -1,10 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } } diff --git a/testing/tests/swanctl/xauth-rsa/posttest.dat b/testing/tests/swanctl/xauth-rsa/posttest.dat index d7107ccc6..b909ac76c 100644 --- a/testing/tests/swanctl/xauth-rsa/posttest.dat +++ b/testing/tests/swanctl/xauth-rsa/posttest.dat @@ -1,8 +1,8 @@ carol::swanctl --terminate --ike home dave::swanctl --terminate --ike home -carol::service charon stop 2> /dev/null -dave::service charon stop 2> /dev/null -moon::service charon stop 2> /dev/null +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/xauth-rsa/pretest.dat b/testing/tests/swanctl/xauth-rsa/pretest.dat index 762c35418..dd1a17ccb 100644 --- a/testing/tests/swanctl/xauth-rsa/pretest.dat +++ b/testing/tests/swanctl/xauth-rsa/pretest.dat @@ -1,9 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null -carol::service charon start 2> /dev/null -dave::service charon start 2> /dev/null +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf index 063bb6fc9..b094a3aaa 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf index 063bb6fc9..b094a3aaa 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf index a3d85b054..aacee2221 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 } diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat index f0f6446bf..79340af29 100644 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat @@ -10,9 +10,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf index 80c96b677..305a9d1e6 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf index 691cdbc2d..5d17eb638 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf index 71fc7dd0c..4c9dd6e1f 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat index 2989f347c..0d96563c1 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat index cc0ce6c31..efddc609e 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat @@ -11,9 +11,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf index 978cc6659..a534ac66e 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index 0bc6e3525..469e81156 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no retransmit_tries = 5 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf index 387236ebc..cbaf67c89 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat index db806c3c9..ab96df0ed 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second carol::echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat index 5745ffede..7d0dfa385 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -15,9 +15,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf index 09ca9d0e4..1ca6c3d10 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf index 9c6f28fe3..9df983c80 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } - syslog { - auth { - default = 0 - } + syslog { daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf index 71fc7dd0c..4c9dd6e1f 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { - secret = gv6URkSs - server = 10.1.0.10 + secret = gv6URkSs + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat index 2989f347c..0d96563c1 100644 --- a/testing/tests/tnc/tnccs-11-radius/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat index 57e2ee6b4..bb2ce93b3 100644 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -11,9 +11,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf index af30c204d..649426628 100644 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf index 524536228..0a20b9407 100644 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf index bba631b1f..ad5cb6205 100644 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-11/posttest.dat +++ b/testing/tests/tnc/tnccs-11/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-11/pretest.dat +++ b/testing/tests/tnc/tnccs-11/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf index fac3dc02d..aa8bb7cd3 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf index 168e4ec64..b3d3049be 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf index bb15d3ffa..b3845a3ee 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-block/posttest.dat +++ b/testing/tests/tnc/tnccs-20-block/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat index c09abf917..13677a470 100644 --- a/testing/tests/tnc/tnccs-20-block/pretest.dat +++ b/testing/tests/tnc/tnccs-20-block/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf index aceddc368..fa3458e22 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } @@ -27,7 +20,7 @@ libtls { libimcv { plugins { imc-test { - command = isolate + command = isolate retry = yes retry_command = allow } diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf index 7ac1a5d70..f4d6543aa 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } plugins { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf index a0b807755..10d0ae864 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 2 @@ -34,7 +27,7 @@ libtls { libimcv { plugins { imv-test { - rounds = 0 + rounds = 0 } imv-scanner { closed_port_policy = yes diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat index 2248d002c..a327dae63 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat @@ -11,7 +11,7 @@ alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by T alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::role=.softwareCreator licensor tagCreator::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -20,5 +20,5 @@ alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by passwo alice::cat /var/log/daemon.log::received software ID events with ... items for request 9 at last eid 2 of epoch::YES alice::cat /var/log/daemon.log::3 SWID tag target::YES alice::cat /var/log/daemon.log::received software inventory with 3 items for request 9 at last eid 2 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf index 1148b945a..04d7dbacc 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -32,7 +29,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swima { @@ -44,6 +41,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat index c0d732368..3e4fbefa1 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf index 073355713..e91440326 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf index 6c1b9917b..6c84f3abb 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 @@ -24,7 +17,7 @@ charon { } tnccs-20 { tests { - pb_tnc_noskip = yes + pb_tnc_noskip = yes } } } diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf index 165c5ccb9..1e9995eb6 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf index 56fa7a967..66c6cb541 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf index cb6abf305..a6e58ba4e 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat index 9af5f39a2..8158822a6 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat @@ -1,4 +1,4 @@ -carol::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat index 5af3b7500..d61ea90ad 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -4,8 +4,8 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config carol::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf index c3338d43b..aa4934fb1 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf index 89d9e50bd..8fc1c8729 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf index 0cd34865c..4732fbd4b 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 2 diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat index f0f6446bf..79340af29 100644 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat @@ -10,9 +10,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf index 195534315..fb77fd87e 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 3 } } @@ -36,5 +30,5 @@ charon { libimcv { debug_level = 3 - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf index f0a6c4bde..883f154b8 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } @@ -43,7 +36,7 @@ libimcv { plugins { imc-hcd { - push_info = no + push_info = no subtypes { system { attributes_natural_language = en @@ -78,7 +71,7 @@ libimcv { resident_application { resident-app-1 { - name = Resident App XYZ + name = Resident App XYZ patches = "xmas patch 2014-12-24\r\nservice patch for App XYZ 2015-05-22\r\n" string_version = 2.5 version = 00000002000000050000000000000000 @@ -137,7 +130,7 @@ libimcv { version = 00000007000000080000000000000000 } } - + resident_application { resident-app-if { name = Resident Interface App @@ -150,10 +143,10 @@ libimcv { scanner { attributes_natural_language = en - + firmware { fw-scanner { - name = Scanner Firmware + name = Scanner Firmware patches = "security patch 2013-08-11\r\nsecurity patch 2015-5-30\r\n" string_version = 2.5.3 version = 00000002000000050000000300000000 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf index f5c3440c1..9f1718992 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } @@ -52,18 +45,18 @@ libimcv { vendor_smi_code = 36906 pstn_fax_enabled = yes time_source = 0.ch.pool.ntp.org - user_application_enabled = no + user_application_enabled = no user_application_persistence_enabled = no firmware { fw-1 { - name = Firmware ABC + name = Firmware ABC patches = "security patch 2014-05-08\r\nupgrade 2014-08-16\r\nsecurity patch 2015-3-22\r\n" string_version = 1.0.7 version = 00000001000000000000000700000000 } fw-2 { - name = Firmware UVW + name = Firmware UVW string_version = 13.8.5 version = 0000000D000000080000000500000000 } @@ -71,7 +64,7 @@ libimcv { resident_application { resident-app-1 { - name = Resident App XYZ + name = Resident App XYZ patches = "xmas patch 2014-12-24\r\nservice patch 2015-05-22\r\n" string_version = 2.5 version = 00000002000000050000000000000000 @@ -96,7 +89,7 @@ libimcv { interface { attributes_natural_language = en - + firmware { fw-if { name = Interface Firmware @@ -118,10 +111,10 @@ libimcv { scanner { attributes_natural_language = en - + firmware { fw-scanner { - name = Scanner Firmware + name = Scanner Firmware patches = "security patch 2013-08-11\r\nsecurity patch 2015-5-30\r\n" string_version = 2.5.3 version = 00000002000000050000000300000000 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf index 4dae69352..08e5e38e5 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf @@ -1,17 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { secret = gv6URkSs - #server = PH_IP6_ALICE + #server = PH_IP6_ALICE server = PH_IP_ALICE filter_id = yes } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat index bcd655353..33a60f9ab 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat @@ -1,7 +1,7 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop -alice::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat index f9b4159d9..decc2394a 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat @@ -9,10 +9,10 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::rm /etc/swanctl/rsa/aliceKey.pem alice::rm /etc/swanctl/x509/aliceCert.pem -alice::service charon start -moon::service charon start -carol::service charon start -dave::service charon start +alice::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf index a555970ec..a773b17be 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -36,10 +29,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { rounds = 1 - } + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf index b2280db18..7e049dc02 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf @@ -1,20 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown - multiple_authentication = no - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } + multiple_authentication = no syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -38,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = none + command = none } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat index 4677e46f0..8b792b878 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop -sun::service charon stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat index ac707d436..1a20775d8 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start -sun::service charon start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection mutual moon::expect-connection mutual moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf index 1212e2356..a773b17be 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -40,6 +33,6 @@ libimcv { } imv-test { rounds = 1 - } + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf index f29175d67..879a3cdac 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf @@ -1,20 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown - multiple_authentication = no - - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } + multiple_authentication = no syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -38,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat index 4677e46f0..8b792b878 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat @@ -1,4 +1,4 @@ -moon::service charon stop -sun::service charon stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat index ac707d436..1a20775d8 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::service charon start -sun::service charon start +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl sun::expect-connection mutual moon::expect-connection mutual moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf index 9e694bc01..b596dbc1b 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { - load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 +charon-systemd { + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 imv = 2 } @@ -36,10 +30,10 @@ libtls { libimcv { plugins { imc-test { - command = allow + command = allow } imv-test { - rounds = 1 - } + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat index d1f83a319..767e8f2ba 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat @@ -1 +1 @@ -sun::service charon stop +sun::systemctl stop strongswan-swanctl diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat index 8642292a8..9da18266e 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -1,4 +1,4 @@ -sun::service charon start +sun::systemctl start strongswan-swanctl moon::cat /etc/pts/options moon::sleep 1 moon::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat index 198b2bde3..7850e2e74 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat @@ -10,7 +10,7 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -21,5 +21,5 @@ alice::cat /var/log/daemon.log::received software ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf index 1148b945a..04d7dbacc 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -32,7 +29,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swima { @@ -44,6 +41,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat index d8ac3ab41..c895148f2 100644 --- a/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat index 8056a90e9..5dbfa8247 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -1,19 +1,19 @@ -carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf index d3941d811..3e4d76f10 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 pts = 3 } diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf index 134cd991c..2e249d48d 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no retransmit_tries = 5 - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 pts = 3 } diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf index e58bab611..a683ba77c 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imv = 3 pts = 3 } @@ -34,10 +27,10 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { - hash_algorithm = sha1 + hash_algorithm = sha256 } } } diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat index 03e5f22af..1167f55ea 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -12,14 +12,14 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf index ef90078f2..3ec0227b2 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf index 4af05ad31..7de2756a9 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index 53c515f77..8e8fda6c4 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 2 imv = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-os/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 13ae2b71f..3c5037aae 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -13,9 +13,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index 240ebbafb..e01fe4b4c 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -1,17 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 3 } } @@ -35,7 +29,7 @@ charon { } libimcv { - debug_level = 3 + debug_level = 3 database = sqlite:///etc/db.d/config.db policy_script = /usr/local/libexec/ipsec/imv_policy_manager diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index 47b9affed..a8aff3883 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index d00808398..852e0714e 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf index 8b931afc9..bcf316622 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf @@ -1,18 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } plugins { eap-radius { secret = gv6URkSs - #server = PH_IP6_ALICE + #server = PH_IP6_ALICE server = PH_IP_ALICE filter_id = yes } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat index e5ec2afc7..97850dc97 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -1,8 +1,8 @@ -moon::service charon stop -carol::service charon stop -dave::service charon stop -alice::service charon stop -alice::service apache2 stop +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/x509/aaaCert.pem alice::rm /etc/swanctl/rsa/aaaKey.pem moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat index 385cc305a..15dcc54d8 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -17,11 +17,11 @@ alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc -alice::service apache2 start -alice::service charon start -moon::service charon start -dave::service charon start -carol::service charon start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index fc232bfde..bf4191618 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -9,7 +9,7 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES @@ -19,5 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES alice::cat /var/log/daemon.log::strongswan.org__strongSwan-::YES -alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index b08a85bb4..944a5928d 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,15 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { - auth { - default = 0 - } daemon { tls = 2 - tnc = 2 + tnc = 2 imv = 3 } } @@ -29,7 +26,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-swid { @@ -39,6 +36,6 @@ libimcv { } imv_policy_manager { - command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' - command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' + command_allow = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon-systemd -p auth.alert "\"host with IP address %s is blocked\""' } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat index 09c8a6cbc..c0049d7fd 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -1,8 +1,8 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::service charon stop -alice::service apache2 stop +alice::systemctl stop strongswan-swanctl +alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat index d8ac3ab41..c895148f2 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -13,8 +13,8 @@ alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/usr/local/bin/init_tnc alice::rm /etc/swanctl/x509/aliceCert.pem alice::rm /etc/swanctl/rsa/aliceKey.pem -alice::service charon start -alice::service apache2 start +alice::systemctl start apache2 +alice::systemctl start strongswan-swanctl alice::swanctl --load-creds winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf index f4fb7e2dc..3b477dd81 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index b7a772692..9da89723d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index 46ed39bb8..1e5f7becf 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 @@ -34,7 +27,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat index d89aa2309..2e95da89d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -12,9 +12,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -dave::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf index 2eb34841d..8ebf56878 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf @@ -1,22 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 3 + tnc = 3 imc = 3 - pts = 3 + pts = 3 } } } diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index e9fa8cb80..0b47d35e7 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index e58bab611..bf14fe327 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 @@ -34,7 +27,7 @@ libtls { libimcv { database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager + policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { imv-attestation { hash_algorithm = sha1 diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat index ce72d2ca9..9c55c19cd 100644 --- a/testing/tests/tnc/tnccs-20-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat index d89aa2309..2e95da89d 100644 --- a/testing/tests/tnc/tnccs-20-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat @@ -12,9 +12,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -dave::service charon start -carol::service charon start +moon::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate dave::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf index 7e51900a1..7f7f52869 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } } @@ -27,7 +20,7 @@ libtls { libimcv { plugins { imc-test { - command = retry + command = retry retry_command = allow } } diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf index 4aeda6674..d93482b10 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imc = 2 + imc = 2 } } plugins { @@ -32,7 +25,7 @@ libtls { libimcv { plugins { imc-test { - command = retry + command = retry retry_command = isolate } imc-scanner { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf index 902e837f5..10d0ae864 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf @@ -1,21 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 - imv = 2 + imv = 2 } } plugins { @@ -34,7 +27,7 @@ libtls { libimcv { plugins { imv-test { - rounds = 0 + rounds = 0 } imv-scanner { closed_port_policy = yes diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf index 73f32424e..dab32e727 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf index 07df4c086..e26da3e7a 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imc = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf index 7aef92f39..66799c1e4 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf @@ -1,20 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { - tnc = 2 + tnc = 2 imv = 2 } } diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat index 1d11baa99..57985e682 100644 --- a/testing/tests/tnc/tnccs-20-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf index 887806475..da21bc6f8 100644 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf index e78272b43..e90055fad 100644 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf index 165c5ccb9..1e9995eb6 100644 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf @@ -1,18 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-20/posttest.dat +++ b/testing/tests/tnc/tnccs-20/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-20/pretest.dat +++ b/testing/tests/tnc/tnccs-20/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf index 609852bc7..f0f941815 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf index 2c0deca5e..e5925a4cf 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imc = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf index d61bcd111..0261fe1b0 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf @@ -1,19 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file -charon { +charon-systemd { load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown multiple_authentication=no integrity_test = yes - start-scripts { - creds = /usr/local/sbin/swanctl --load-creds - conns = /usr/local/sbin/swanctl --load-conns - } syslog { - auth { - default = 0 - } daemon { tnc = 3 imv = 3 diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat index 770cf6ede..199873ba1 100644 --- a/testing/tests/tnc/tnccs-dynamic/posttest.dat +++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat @@ -1,6 +1,6 @@ -carol::service charon stop -dave::service charon stop -moon::service charon stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat index e173ae798..a1f0470fe 100644 --- a/testing/tests/tnc/tnccs-dynamic/pretest.dat +++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat @@ -8,9 +8,9 @@ carol::rm /etc/swanctl/rsa/* dave::rm /etc/swanctl/rsa/* carol::rm /etc/swanctl/x509/* dave::rm /etc/swanctl/x509/* -moon::service charon start -carol::service charon start -dave::service charon start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw-allow moon::expect-connection rw-isolate carol::expect-connection home -- cgit v1.2.3