From 518dd33c94e041db0444c7d1f33da363bb8e3faf Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 24 Mar 2016 11:59:32 +0100 Subject: Imported Upstream version 5.4.0 --- testing/Makefile.in | 2 + testing/do-tests | 31 ++-- testing/hosts/alice/etc/ipsec.d/ipsec.sql | 4 +- testing/hosts/bob/etc/ipsec.d/ipsec.sql | 4 +- testing/hosts/carol/etc/ipsec.d/ipsec.sql | 4 +- testing/hosts/dave/etc/ipsec.d/ipsec.sql | 4 +- .../hosts/default/usr/local/bin/expect-connection | 8 +- testing/hosts/moon/etc/ipsec.d/ipsec.sql | 4 +- testing/hosts/sun/etc/ipsec.d/ipsec.sql | 4 +- testing/hosts/venus/etc/ipsec.d/ipsec.sql | 4 +- testing/hosts/winnetou/etc/openssl/generate-crl | 3 + testing/scripts/recipes/013_strongswan.mk | 1 - testing/tests/af-alg/alg-camellia/description.txt | 5 +- testing/tests/af-alg/alg-camellia/evaltest.dat | 8 +- .../af-alg/alg-camellia/hosts/carol/etc/ipsec.conf | 22 --- .../alg-camellia/hosts/carol/etc/strongswan.conf | 7 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++++ .../af-alg/alg-camellia/hosts/moon/etc/ipsec.conf | 21 --- .../alg-camellia/hosts/moon/etc/strongswan.conf | 7 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 ++++ testing/tests/af-alg/alg-camellia/posttest.dat | 5 +- testing/tests/af-alg/alg-camellia/pretest.dat | 7 +- testing/tests/af-alg/alg-camellia/test.conf | 4 + testing/tests/af-alg/rw-cert/description.txt | 4 +- testing/tests/af-alg/rw-cert/evaltest.dat | 13 +- .../af-alg/rw-cert/hosts/carol/etc/ipsec.conf | 22 --- .../af-alg/rw-cert/hosts/carol/etc/strongswan.conf | 7 +- .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 27 ++++ .../tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf | 22 --- .../af-alg/rw-cert/hosts/dave/etc/strongswan.conf | 8 +- .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 27 ++++ .../tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf | 21 --- .../af-alg/rw-cert/hosts/moon/etc/strongswan.conf | 7 +- .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 25 ++++ testing/tests/af-alg/rw-cert/posttest.dat | 8 +- testing/tests/af-alg/rw-cert/pretest.dat | 14 +- testing/tests/af-alg/rw-cert/test.conf | 4 + .../tests/gcrypt-ikev2/alg-camellia/evaltest.dat | 4 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 2 +- .../alg-camellia/hosts/moon/etc/ipsec.conf | 2 +- testing/tests/gcrypt-ikev2/rw-cert/pretest.dat | 1 + testing/tests/ha/active-passive/pretest.dat | 1 - testing/tests/ikev1/alg-3des-md5/evaltest.dat | 4 +- testing/tests/ikev1/alg-sha256/evaltest.dat | 8 +- .../ikev1/alg-sha256/hosts/carol/etc/ipsec.conf | 4 +- .../ikev1/alg-sha256/hosts/moon/etc/ipsec.conf | 4 +- testing/tests/ikev1/alg-sha384/evaltest.dat | 4 +- testing/tests/ikev1/alg-sha512/evaltest.dat | 4 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 - .../ikev1/xauth-rsa-eap-md5-radius/evaltest.dat | 2 +- testing/tests/ikev1/xauth-rsa-radius/evaltest.dat | 2 +- testing/tests/ikev2/alg-aes-xcbc/evaltest.dat | 4 +- .../ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf | 4 +- .../ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf | 4 +- testing/tests/ikev2/alg-sha256-96/evaltest.dat | 4 +- .../ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf | 4 +- .../ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf | 4 +- testing/tests/ikev2/alg-sha256/evaltest.dat | 4 +- .../ikev2/alg-sha256/hosts/carol/etc/ipsec.conf | 4 +- .../ikev2/alg-sha256/hosts/moon/etc/ipsec.conf | 4 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 - .../hosts/moon/etc/strongswan.conf | 2 - .../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 2 - .../hosts/moon/etc/strongswan.conf | 2 - .../hosts/moon/etc/strongswan.conf | 2 - testing/tests/ikev2/ip-two-pools/pretest.dat | 2 +- .../tests/ikev2/reauth-mbb-revoked/description.txt | 15 ++ .../tests/ikev2/reauth-mbb-revoked/evaltest.dat | 10 ++ .../reauth-mbb-revoked/hosts/carol/etc/ipsec.conf | 21 +++ .../hosts/carol/etc/strongswan.conf | 7 + .../reauth-mbb-revoked/hosts/moon/etc/ipsec.conf | 19 +++ .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/reauth-mbb-revoked/posttest.dat | 3 + testing/tests/ikev2/reauth-mbb-revoked/pretest.dat | 4 + testing/tests/ikev2/reauth-mbb-revoked/test.conf | 21 +++ .../tests/ikev2/redirect-active/description.txt | 8 ++ testing/tests/ikev2/redirect-active/evaltest.dat | 28 ++++ .../redirect-active/hosts/alice/etc/ipsec.conf | 19 +++ .../hosts/alice/etc/ipsec.d/certs/marsCert.pem | 25 ++++ .../hosts/alice/etc/ipsec.d/private/marsKey.pem | 27 ++++ .../redirect-active/hosts/alice/etc/ipsec.secrets | 3 + .../redirect-active/hosts/alice/etc/iptables.rules | 34 +++++ .../hosts/alice/etc/strongswan.conf | 6 + .../redirect-active/hosts/carol/etc/ipsec.conf | 19 +++ .../hosts/carol/etc/strongswan.conf | 5 + .../redirect-active/hosts/dave/etc/ipsec.conf | 19 +++ .../redirect-active/hosts/dave/etc/strongswan.conf | 6 + .../redirect-active/hosts/moon/etc/ipsec.conf | 18 +++ .../hosts/moon/etc/ipsec.d/certs/marsCert.pem | 25 ++++ .../hosts/moon/etc/ipsec.d/private/marsKey.pem | 27 ++++ .../redirect-active/hosts/moon/etc/ipsec.secrets | 3 + .../redirect-active/hosts/moon/etc/strongswan.conf | 6 + testing/tests/ikev2/redirect-active/posttest.dat | 10 ++ testing/tests/ikev2/redirect-active/pretest.dat | 13 ++ testing/tests/ikev2/redirect-active/test.conf | 21 +++ testing/tests/ikev2/rw-dnssec/pretest.dat | 2 +- testing/tests/ikev2/trap-any/evaltest.dat | 10 +- testing/tests/libipsec/net2net-null/evaltest.dat | 4 +- .../net2net-null/hosts/moon/etc/ipsec.conf | 4 +- .../libipsec/net2net-null/hosts/sun/etc/ipsec.conf | 4 +- .../tests/openssl-ikev1/alg-camellia/evaltest.dat | 12 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 4 +- .../alg-camellia/hosts/moon/etc/ipsec.conf | 4 +- .../tests/openssl-ikev1/ecdsa-certs/evaltest.dat | 8 +- .../tests/openssl-ikev2/alg-camellia/evaltest.dat | 12 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 4 +- .../alg-camellia/hosts/moon/etc/ipsec.conf | 4 +- testing/tests/pfkey/alg-aes-xcbc/evaltest.dat | 4 +- .../pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf | 4 +- .../pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf | 4 +- testing/tests/sql/ip-pool-db-expired/evaltest.dat | 12 +- .../hosts/carol/etc/ipsec.d/data.sql | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../hosts/dave/etc/ipsec.d/data.sql | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../hosts/moon/etc/ipsec.d/data.sql | 2 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/ip-pool-db-expired/posttest.dat | 8 +- testing/tests/sql/ip-pool-db-expired/pretest.dat | 14 +- testing/tests/sql/ip-pool-db-expired/test.conf | 4 + testing/tests/sql/ip-pool-db-restart/evaltest.dat | 12 +- .../hosts/carol/etc/ipsec.d/data.sql | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../hosts/dave/etc/ipsec.d/data.sql | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../hosts/moon/etc/ipsec.d/data.sql | 2 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/ip-pool-db-restart/posttest.dat | 8 +- testing/tests/sql/ip-pool-db-restart/pretest.dat | 14 +- testing/tests/sql/ip-pool-db-restart/test.conf | 4 + testing/tests/sql/ip-pool-db/evaltest.dat | 12 +- .../ip-pool-db/hosts/carol/etc/ipsec.d/data.sql | 2 +- .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql | 2 +- .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +- .../ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf | 1 + .../sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf | 8 +- .../ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/ip-pool-db/posttest.dat | 11 +- testing/tests/sql/ip-pool-db/pretest.dat | 14 +- testing/tests/sql/ip-pool-db/test.conf | 4 + .../sql/ip-split-pools-db-restart/evaltest.dat | 12 +- .../hosts/carol/etc/ipsec.d/data.sql | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../hosts/dave/etc/ipsec.d/data.sql | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../hosts/moon/etc/ipsec.d/data.sql | 2 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + .../sql/ip-split-pools-db-restart/posttest.dat | 8 +- .../sql/ip-split-pools-db-restart/pretest.dat | 14 +- .../tests/sql/ip-split-pools-db-restart/test.conf | 4 + testing/tests/sql/ip-split-pools-db/evaltest.dat | 11 +- .../hosts/carol/etc/ipsec.d/data.sql | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../hosts/dave/etc/ipsec.d/data.sql | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../hosts/moon/etc/ipsec.d/data.sql | 2 +- .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/ip-split-pools-db/posttest.dat | 8 +- testing/tests/sql/ip-split-pools-db/pretest.dat | 14 +- testing/tests/sql/ip-split-pools-db/test.conf | 3 + testing/tests/sql/multi-level-ca/evaltest.dat | 16 +-- .../hosts/carol/etc/ipsec.d/data.sql | 2 +- .../multi-level-ca/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../multi-level-ca/hosts/dave/etc/ipsec.d/data.sql | 2 +- .../multi-level-ca/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../multi-level-ca/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../multi-level-ca/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/multi-level-ca/posttest.dat | 8 +- testing/tests/sql/multi-level-ca/pretest.dat | 14 +- testing/tests/sql/multi-level-ca/test.conf | 4 + testing/tests/sql/net2net-cert/evaltest.dat | 6 +- .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql | 2 +- .../sql/net2net-cert/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/net2net-cert/posttest.dat | 4 +- testing/tests/sql/net2net-cert/pretest.dat | 11 +- testing/tests/sql/net2net-cert/test.conf | 4 + testing/tests/sql/net2net-psk/evaltest.dat | 6 +- .../net2net-psk/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../sql/net2net-psk/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + .../sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql | 2 +- .../sql/net2net-psk/hosts/sun/etc/strongswan.conf | 2 +- .../net2net-psk/hosts/sun/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/net2net-psk/posttest.dat | 4 +- testing/tests/sql/net2net-psk/pretest.dat | 11 +- testing/tests/sql/net2net-psk/test.conf | 4 + testing/tests/sql/net2net-route-pem/evaltest.dat | 12 +- .../hosts/moon/etc/ipsec.d/data.sql | 6 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + .../hosts/sun/etc/ipsec.d/data.sql | 6 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/net2net-route-pem/posttest.dat | 4 +- testing/tests/sql/net2net-route-pem/pretest.dat | 10 +- testing/tests/sql/net2net-route-pem/test.conf | 4 + testing/tests/sql/net2net-start-pem/evaltest.dat | 10 +- .../hosts/moon/etc/ipsec.d/data.sql | 14 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + .../hosts/sun/etc/ipsec.d/data.sql | 14 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/net2net-start-pem/posttest.dat | 4 +- testing/tests/sql/net2net-start-pem/pretest.dat | 10 +- testing/tests/sql/net2net-start-pem/test.conf | 4 + testing/tests/sql/rw-cert/evaltest.dat | 12 +- .../sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql | 2 +- .../sql/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 1 + .../sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql | 2 +- .../sql/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 1 + .../sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../sql/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/rw-cert/posttest.dat | 8 +- testing/tests/sql/rw-cert/pretest.dat | 14 +- testing/tests/sql/rw-cert/test.conf | 4 + testing/tests/sql/rw-eap-aka-rsa/evaltest.dat | 8 +- .../hosts/carol/etc/ipsec.d/data.sql | 2 +- .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/rw-eap-aka-rsa/posttest.dat | 5 +- testing/tests/sql/rw-eap-aka-rsa/pretest.dat | 9 +- testing/tests/sql/rw-eap-aka-rsa/test.conf | 4 + testing/tests/sql/rw-psk-ipv4/evaltest.dat | 13 +- .../rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql | 2 +- .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql | 2 +- .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/rw-psk-ipv4/posttest.dat | 8 +- testing/tests/sql/rw-psk-ipv4/pretest.dat | 14 +- testing/tests/sql/rw-psk-ipv4/test.conf | 4 + testing/tests/sql/rw-psk-ipv6/evaltest.dat | 13 +- .../rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql | 2 +- .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql | 2 +- .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/rw-psk-ipv6/posttest.dat | 8 +- testing/tests/sql/rw-psk-ipv6/pretest.dat | 14 +- testing/tests/sql/rw-psk-ipv6/test.conf | 6 +- testing/tests/sql/rw-psk-rsa-split/evaltest.dat | 12 +- .../hosts/carol/etc/ipsec.d/data.sql | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../hosts/dave/etc/ipsec.d/data.sql | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../hosts/moon/etc/ipsec.d/data.sql | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/rw-psk-rsa-split/posttest.dat | 8 +- testing/tests/sql/rw-psk-rsa-split/pretest.dat | 14 +- testing/tests/sql/rw-psk-rsa-split/test.conf | 4 + testing/tests/sql/rw-rsa-keyid/evaltest.dat | 12 +- .../rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql | 2 +- .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql | 2 +- .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/rw-rsa-keyid/posttest.dat | 8 +- testing/tests/sql/rw-rsa-keyid/pretest.dat | 14 +- testing/tests/sql/rw-rsa-keyid/test.conf | 4 + testing/tests/sql/rw-rsa/evaltest.dat | 12 +- .../sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql | 2 +- .../sql/rw-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../rw-rsa/hosts/carol/etc/swanctl/swanctl.conf | 1 + .../sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql | 2 +- .../sql/rw-rsa/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf | 1 + .../sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql | 2 +- .../sql/rw-rsa/hosts/moon/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/sql/rw-rsa/posttest.dat | 8 +- testing/tests/sql/rw-rsa/pretest.dat | 14 +- testing/tests/sql/rw-rsa/test.conf | 4 + .../tests/sql/shunt-policies-nat-rw/evaltest.dat | 13 +- .../hosts/alice/etc/ipsec.conf | 3 - .../hosts/alice/etc/ipsec.secrets | 3 - .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/alice/etc/swanctl/swanctl.conf | 1 + .../shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf | 3 - .../hosts/sun/etc/ipsec.d/data.sql | 2 +- .../hosts/sun/etc/ipsec.secrets | 3 - .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/swanctl.conf | 1 + .../hosts/venus/etc/ipsec.conf | 3 - .../hosts/venus/etc/ipsec.secrets | 3 - .../hosts/venus/etc/strongswan.conf | 2 +- .../hosts/venus/etc/swanctl/swanctl.conf | 1 + .../tests/sql/shunt-policies-nat-rw/posttest.dat | 8 +- .../tests/sql/shunt-policies-nat-rw/pretest.dat | 15 +- testing/tests/sql/shunt-policies-nat-rw/test.conf | 4 + .../tests/swanctl/config-payload/description.txt | 8 ++ testing/tests/swanctl/config-payload/evaltest.dat | 16 +++ .../config-payload/hosts/carol/etc/strongswan.conf | 14 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 28 ++++ .../config-payload/hosts/dave/etc/strongswan.conf | 14 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++++ .../config-payload/hosts/moon/etc/strongswan.conf | 15 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 34 +++++ .../hosts/moon/etc/swanctl/swanctl_base.conf | 17 +++ testing/tests/swanctl/config-payload/posttest.dat | 8 ++ testing/tests/swanctl/config-payload/pretest.dat | 12 ++ testing/tests/swanctl/config-payload/test.conf | 25 ++++ testing/tests/swanctl/dhcp-dynamic/description.txt | 8 ++ testing/tests/swanctl/dhcp-dynamic/evaltest.dat | 22 +++ .../dhcp-dynamic/hosts/carol/etc/strongswan.conf | 14 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 28 ++++ .../dhcp-dynamic/hosts/dave/etc/strongswan.conf | 14 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 28 ++++ .../swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf | 9 ++ .../dhcp-dynamic/hosts/moon/etc/iptables.rules | 39 +++++ .../dhcp-dynamic/hosts/moon/etc/strongswan.conf | 20 +++ .../hosts/moon/etc/swanctl/swanctl.conf | 26 ++++ .../dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf | 14 ++ .../dhcp-dynamic/hosts/venus/etc/dnsmasq.conf | 7 + testing/tests/swanctl/dhcp-dynamic/posttest.dat | 12 ++ testing/tests/swanctl/dhcp-dynamic/pretest.dat | 13 ++ testing/tests/swanctl/dhcp-dynamic/test.conf | 25 ++++ testing/tests/swanctl/frags-ipv4/description.txt | 8 +- testing/tests/swanctl/frags-ipv4/evaltest.dat | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 5 - .../frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf | 5 - .../frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf | 5 - testing/tests/swanctl/frags-ipv4/pretest.dat | 4 +- testing/tests/swanctl/frags-ipv6/evaltest.dat | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 5 - .../frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf | 5 - .../frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf | 5 - testing/tests/swanctl/frags-ipv6/pretest.dat | 4 +- testing/tests/swanctl/ip-pool-db/evaltest.dat | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 9 +- .../ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf | 9 +- .../ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf | 9 +- testing/tests/swanctl/ip-pool-db/pretest.dat | 6 +- testing/tests/swanctl/ip-pool/evaltest.dat | 8 +- .../ip-pool/hosts/carol/etc/swanctl/swanctl.conf | 9 +- .../ip-pool/hosts/dave/etc/swanctl/swanctl.conf | 9 +- .../ip-pool/hosts/moon/etc/swanctl/swanctl.conf | 9 +- testing/tests/swanctl/ip-pool/pretest.dat | 4 +- .../mult-auth-rsa-eap-sim-id/description.txt | 17 +++ .../swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat | 20 +++ .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 61 ++++++++ .../hosts/alice/etc/freeradius/triplets.dat | 6 + .../hosts/alice/etc/freeradius/users | 0 .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../hosts/carol/etc/strongswan.conf | 10 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 32 +++++ .../hosts/dave/etc/ipsec.d/triplets.dat | 3 + .../hosts/dave/etc/strongswan.conf | 10 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 32 +++++ .../hosts/moon/etc/iptables.rules | 32 +++++ .../hosts/moon/etc/strongswan.conf | 17 +++ .../hosts/moon/etc/swanctl/swanctl.conf | 30 ++++ .../swanctl/mult-auth-rsa-eap-sim-id/posttest.dat | 4 + .../swanctl/mult-auth-rsa-eap-sim-id/pretest.dat | 15 ++ .../swanctl/mult-auth-rsa-eap-sim-id/test.conf | 30 ++++ testing/tests/swanctl/multi-level-ca/evaltest.dat | 12 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 - .../hosts/dave/etc/swanctl/swanctl.conf | 1 - .../hosts/moon/etc/swanctl/swanctl.conf | 2 - testing/tests/swanctl/multi-level-ca/pretest.dat | 4 +- testing/tests/swanctl/net2net-cert/evaltest.dat | 4 +- .../hosts/moon/etc/swanctl/swanctl.conf | 9 +- .../hosts/sun/etc/swanctl/swanctl.conf | 9 +- testing/tests/swanctl/net2net-cert/pretest.dat | 3 +- .../tests/swanctl/net2net-pubkey/description.txt | 7 + testing/tests/swanctl/net2net-pubkey/evaltest.dat | 5 + .../net2net-pubkey/hosts/moon/etc/strongswan.conf | 10 ++ .../hosts/moon/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/moon/etc/swanctl/pubkey/sunPub.pem | 9 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 30 ++++ .../net2net-pubkey/hosts/sun/etc/strongswan.conf | 10 ++ .../hosts/sun/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/sun/etc/swanctl/pubkey/sunPub.pem | 9 ++ .../hosts/sun/etc/swanctl/swanctl.conf | 30 ++++ testing/tests/swanctl/net2net-pubkey/posttest.dat | 7 + testing/tests/swanctl/net2net-pubkey/pretest.dat | 8 ++ testing/tests/swanctl/net2net-pubkey/test.conf | 25 ++++ testing/tests/swanctl/net2net-route/evaltest.dat | 4 +- .../hosts/moon/etc/swanctl/swanctl.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 8 +- testing/tests/swanctl/net2net-route/pretest.dat | 5 +- testing/tests/swanctl/net2net-start/evaltest.dat | 4 +- .../hosts/moon/etc/swanctl/swanctl.conf | 8 +- .../hosts/sun/etc/swanctl/swanctl.conf | 8 +- testing/tests/swanctl/net2net-start/pretest.dat | 2 +- .../tests/swanctl/ocsp-multi-level/evaltest.dat | 22 +-- .../hosts/carol/etc/swanctl/swanctl.conf | 1 - .../hosts/dave/etc/swanctl/swanctl.conf | 1 - .../hosts/moon/etc/swanctl/swanctl.conf | 2 - testing/tests/swanctl/ocsp-multi-level/pretest.dat | 4 +- .../tests/swanctl/protoport-dual/description.txt | 7 + testing/tests/swanctl/protoport-dual/evaltest.dat | 7 + .../protoport-dual/hosts/carol/etc/strongswan.conf | 10 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../protoport-dual/hosts/moon/etc/strongswan.conf | 10 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 35 +++++ testing/tests/swanctl/protoport-dual/posttest.dat | 5 + testing/tests/swanctl/protoport-dual/pretest.dat | 8 ++ testing/tests/swanctl/protoport-dual/test.conf | 25 ++++ .../tests/swanctl/protoport-range/description.txt | 7 + testing/tests/swanctl/protoport-range/evaltest.dat | 7 + .../hosts/carol/etc/strongswan.conf | 10 ++ .../hosts/carol/etc/swanctl/swanctl.conf | 42 ++++++ .../protoport-range/hosts/moon/etc/strongswan.conf | 10 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 43 ++++++ testing/tests/swanctl/protoport-range/posttest.dat | 5 + testing/tests/swanctl/protoport-range/pretest.dat | 10 ++ testing/tests/swanctl/protoport-range/test.conf | 25 ++++ testing/tests/swanctl/rw-cert/evaltest.dat | 8 +- .../hosts/carol/etc/swanctl/rsa/carolKey.pem | 30 ++++ .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 17 ++- .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 9 +- .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 9 +- testing/tests/swanctl/rw-cert/pretest.dat | 4 +- testing/tests/swanctl/rw-dnssec/description.txt | 10 ++ testing/tests/swanctl/rw-dnssec/evaltest.dat | 20 +++ .../rw-dnssec/hosts/carol/etc/iptables.rules | 28 ++++ .../swanctl/rw-dnssec/hosts/carol/etc/resolv.conf | 1 + .../rw-dnssec/hosts/carol/etc/strongswan.conf | 19 +++ .../rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys | 10 ++ .../hosts/carol/etc/swanctl/pubkey/carolPub.der | Bin 0 -> 294 bytes .../rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf | 28 ++++ .../rw-dnssec/hosts/dave/etc/iptables.rules | 28 ++++ .../swanctl/rw-dnssec/hosts/dave/etc/resolv.conf | 1 + .../rw-dnssec/hosts/dave/etc/strongswan.conf | 19 +++ .../rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys | 10 ++ .../hosts/dave/etc/swanctl/pubkey/davePub.der | Bin 0 -> 294 bytes .../rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf | 28 ++++ .../rw-dnssec/hosts/moon/etc/iptables.rules | 28 ++++ .../swanctl/rw-dnssec/hosts/moon/etc/resolv.conf | 1 + .../rw-dnssec/hosts/moon/etc/strongswan.conf | 22 +++ .../rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys | 10 ++ .../hosts/moon/etc/swanctl/pubkey/moonPub.der | Bin 0 -> 294 bytes .../rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf | 32 +++++ testing/tests/swanctl/rw-dnssec/posttest.dat | 11 ++ testing/tests/swanctl/rw-dnssec/pretest.dat | 14 ++ testing/tests/swanctl/rw-dnssec/test.conf | 25 ++++ testing/tests/swanctl/rw-hash-and-url/evaltest.dat | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 9 +- testing/tests/swanctl/rw-hash-and-url/pretest.dat | 4 +- .../tests/swanctl/rw-ntru-bliss/description.txt | 14 ++ testing/tests/swanctl/rw-ntru-bliss/evaltest.dat | 18 +++ .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf | 13 ++ .../hosts/carol/etc/swanctl/bliss/carolKey.der | Bin 0 -> 1182 bytes .../hosts/carol/etc/swanctl/swanctl.conf | 30 ++++ .../hosts/carol/etc/swanctl/x509/carolCert.der | Bin 0 -> 2175 bytes .../etc/swanctl/x509ca/strongswan_blissCert.der | Bin 0 -> 2086 bytes .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf | 13 ++ .../hosts/dave/etc/swanctl/bliss/daveKey.der | Bin 0 -> 1310 bytes .../hosts/dave/etc/swanctl/swanctl.conf | 30 ++++ .../hosts/dave/etc/swanctl/x509/daveCert.der | Bin 0 -> 2179 bytes .../etc/swanctl/x509ca/strongswan_blissCert.der | Bin 0 -> 2086 bytes .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf | 14 ++ .../hosts/moon/etc/swanctl/bliss/moonKey.der | Bin 0 -> 1310 bytes .../hosts/moon/etc/swanctl/swanctl.conf | 34 +++++ .../hosts/moon/etc/swanctl/x509/moonCert.der | Bin 0 -> 2200 bytes .../etc/swanctl/x509ca/strongswan_blissCert.der | Bin 0 -> 2086 bytes testing/tests/swanctl/rw-ntru-bliss/posttest.dat | 9 ++ testing/tests/swanctl/rw-ntru-bliss/pretest.dat | 14 ++ testing/tests/swanctl/rw-ntru-bliss/test.conf | 25 ++++ testing/tests/swanctl/rw-psk-fqdn/evaltest.dat | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 9 +- testing/tests/swanctl/rw-psk-fqdn/pretest.dat | 4 +- testing/tests/swanctl/rw-psk-ikev1/description.txt | 16 +++ testing/tests/swanctl/rw-psk-ikev1/evaltest.dat | 14 ++ .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 23 +++ .../hosts/carol/etc/swanctl/swanctl.conf | 33 +++++ .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 23 +++ .../hosts/dave/etc/swanctl/swanctl.conf | 32 +++++ .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 23 +++ .../hosts/moon/etc/swanctl/swanctl.conf | 67 +++++++++ testing/tests/swanctl/rw-psk-ikev1/posttest.dat | 8 ++ testing/tests/swanctl/rw-psk-ikev1/pretest.dat | 15 ++ testing/tests/swanctl/rw-psk-ikev1/test.conf | 25 ++++ testing/tests/swanctl/rw-psk-ipv4/evaltest.dat | 8 +- .../hosts/carol/etc/swanctl/swanctl.conf | 9 +- .../hosts/dave/etc/swanctl/swanctl.conf | 9 +- .../hosts/moon/etc/swanctl/swanctl.conf | 9 +- testing/tests/swanctl/rw-psk-ipv4/pretest.dat | 4 +- .../tests/swanctl/rw-pubkey-anon/description.txt | 9 ++ testing/tests/swanctl/rw-pubkey-anon/evaltest.dat | 10 ++ .../rw-pubkey-anon/hosts/carol/etc/strongswan.conf | 14 ++ .../hosts/carol/etc/swanctl/pubkey/carolPub.pem | 9 ++ .../hosts/carol/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/carol/etc/swanctl/rsa/carolKey.pem | 30 ++++ .../hosts/carol/etc/swanctl/swanctl.conf | 34 +++++ .../rw-pubkey-anon/hosts/dave/etc/strongswan.conf | 14 ++ .../hosts/dave/etc/swanctl/pubkey/davePub.pem | 9 ++ .../hosts/dave/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 26 ++++ .../rw-pubkey-anon/hosts/moon/etc/strongswan.conf | 14 ++ .../hosts/moon/etc/swanctl/pubkey/carolPub.pem | 9 ++ .../hosts/moon/etc/swanctl/pubkey/davePub.pem | 9 ++ .../hosts/moon/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/moon/etc/swanctl/pubkey/sunPub.pem | 9 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 24 ++++ testing/tests/swanctl/rw-pubkey-anon/posttest.dat | 11 ++ testing/tests/swanctl/rw-pubkey-anon/pretest.dat | 14 ++ testing/tests/swanctl/rw-pubkey-anon/test.conf | 25 ++++ .../tests/swanctl/rw-pubkey-keyid/description.txt | 8 ++ testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat | 10 ++ .../hosts/carol/etc/strongswan.conf | 14 ++ .../hosts/carol/etc/swanctl/pubkey/carolPub.pem | 9 ++ .../hosts/carol/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/carol/etc/swanctl/rsa/carolKey.pem | 30 ++++ .../hosts/carol/etc/swanctl/swanctl.conf | 34 +++++ .../rw-pubkey-keyid/hosts/dave/etc/strongswan.conf | 14 ++ .../hosts/dave/etc/swanctl/pubkey/davePub.pem | 9 ++ .../hosts/dave/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/dave/etc/swanctl/swanctl.conf | 26 ++++ .../rw-pubkey-keyid/hosts/moon/etc/strongswan.conf | 14 ++ .../hosts/moon/etc/swanctl/pubkey/carolPub.pem | 9 ++ .../hosts/moon/etc/swanctl/pubkey/davePub.pem | 9 ++ .../hosts/moon/etc/swanctl/pubkey/moonPub.pem | 9 ++ .../hosts/moon/etc/swanctl/swanctl.conf | 20 +++ .../hosts/moon/etc/swanctl/swanctl_base.conf | 16 +++ testing/tests/swanctl/rw-pubkey-keyid/posttest.dat | 11 ++ testing/tests/swanctl/rw-pubkey-keyid/pretest.dat | 15 ++ testing/tests/swanctl/rw-pubkey-keyid/test.conf | 25 ++++ .../swanctl/shunt-policies-nat-rw/description.txt | 7 + .../swanctl/shunt-policies-nat-rw/evaltest.dat | 14 ++ .../hosts/alice/etc/strongswan.conf | 11 ++ .../hosts/alice/etc/swanctl/swanctl.conf | 40 ++++++ .../hosts/sun/etc/iptables.rules | 24 ++++ .../hosts/sun/etc/strongswan.conf | 11 ++ .../hosts/sun/etc/swanctl/swanctl.conf | 32 +++++ .../hosts/venus/etc/strongswan.conf | 11 ++ .../hosts/venus/etc/swanctl/swanctl.conf | 40 ++++++ .../swanctl/shunt-policies-nat-rw/posttest.dat | 5 + .../swanctl/shunt-policies-nat-rw/pretest.dat | 11 ++ .../tests/swanctl/shunt-policies-nat-rw/test.conf | 25 ++++ testing/tests/swanctl/xauth-rsa/description.txt | 9 ++ testing/tests/swanctl/xauth-rsa/evaltest.dat | 12 ++ .../xauth-rsa/hosts/carol/etc/strongswan.conf | 10 ++ .../xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf | 38 +++++ .../xauth-rsa/hosts/dave/etc/strongswan.conf | 10 ++ .../xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf | 38 +++++ .../xauth-rsa/hosts/moon/etc/strongswan.conf | 10 ++ .../xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf | 40 ++++++ testing/tests/swanctl/xauth-rsa/posttest.dat | 8 ++ testing/tests/swanctl/xauth-rsa/pretest.dat | 11 ++ testing/tests/swanctl/xauth-rsa/test.conf | 25 ++++ testing/tests/tnc/tnccs-11-fhh/evaltest.dat | 13 +- .../tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon | 158 +++++++++++++++++++++ .../tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf | 23 --- .../tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets | 3 - .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf | 18 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon | 158 +++++++++++++++++++++ .../tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf | 18 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon | 158 +++++++++++++++++++++ .../tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets | 6 - .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf | 18 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-11-fhh/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-fhh/pretest.dat | 14 +- testing/tests/tnc/tnccs-11-fhh/test.conf | 4 +- .../tests/tnc/tnccs-11-radius-block/evaltest.dat | 9 +- .../freeradius/sites-available/inner-tunnel-second | 13 ++ .../hosts/alice/etc/strongswan.conf | 10 +- .../hosts/carol/etc/ipsec.conf | 23 --- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 15 +- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../hosts/dave/etc/ipsec.conf | 23 --- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 18 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../hosts/moon/etc/ipsec.conf | 23 --- .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 11 +- .../hosts/moon/etc/swanctl/swanctl.conf | 27 ++++ .../tests/tnc/tnccs-11-radius-block/posttest.dat | 7 +- .../tests/tnc/tnccs-11-radius-block/pretest.dat | 18 ++- testing/tests/tnc/tnccs-11-radius-block/test.conf | 7 +- testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 13 +- .../tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf | 23 --- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 23 +-- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf | 23 --- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 27 ++-- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf | 33 ----- .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 10 +- .../hosts/moon/etc/swanctl/swanctl.conf | 53 +++++++ testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 16 ++- testing/tests/tnc/tnccs-11-radius-pts/test.conf | 4 + testing/tests/tnc/tnccs-11-radius/evaltest.dat | 13 +- .../hosts/alice/etc/strongswan.conf | 1 + .../tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf | 23 --- .../tnccs-11-radius/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 15 +- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf | 23 --- .../tnccs-11-radius/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-11-radius/hosts/dave/etc/strongswan.conf | 15 +- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf | 33 ----- .../tnccs-11-radius/hosts/moon/etc/ipsec.secrets | 3 - .../tnccs-11-radius/hosts/moon/etc/strongswan.conf | 10 +- .../hosts/moon/etc/swanctl/swanctl.conf | 53 +++++++ testing/tests/tnc/tnccs-11-radius/posttest.dat | 6 +- testing/tests/tnc/tnccs-11-radius/pretest.dat | 14 +- testing/tests/tnc/tnccs-11-radius/test.conf | 3 + .../hosts/alice/etc/strongswan.conf | 1 + .../tnccs-11-supplicant/hosts/carol/etc/ipsec.conf | 1 - .../hosts/carol/etc/ipsec.secrets | 1 - .../hosts/carol/etc/strongswan.conf | 1 + .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../tnccs-11-supplicant/hosts/dave/etc/ipsec.conf | 1 - .../hosts/dave/etc/ipsec.secrets | 1 - .../hosts/dave/etc/strongswan.conf | 1 + .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../tnccs-11-supplicant/hosts/moon/etc/ipsec.conf | 33 ----- .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/iptables.rules | 32 ----- .../hosts/moon/etc/strongswan.conf | 13 -- testing/tests/tnc/tnccs-11-supplicant/test.conf | 7 +- testing/tests/tnc/tnccs-11/evaltest.dat | 13 +- .../tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf | 23 --- .../tnc/tnccs-11/hosts/carol/etc/ipsec.secrets | 3 - .../tnc/tnccs-11/hosts/carol/etc/strongswan.conf | 19 ++- .../tnccs-11/hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-11/hosts/dave/etc/ipsec.secrets | 3 - .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf | 19 ++- .../tnccs-11/hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-11/hosts/moon/etc/ipsec.secrets | 6 - .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf | 19 ++- .../tnccs-11/hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-11/posttest.dat | 6 +- testing/tests/tnc/tnccs-11/pretest.dat | 14 +- testing/tests/tnc/tnccs-11/test.conf | 4 + testing/tests/tnc/tnccs-20-block/evaltest.dat | 8 +- .../tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf | 23 --- .../tnccs-20-block/hosts/carol/etc/ipsec.secrets | 3 - .../tnccs-20-block/hosts/carol/etc/strongswan.conf | 19 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 34 +++++ .../tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf | 23 --- .../tnccs-20-block/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-20-block/hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 34 +++++ .../tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf | 24 ---- .../tnccs-20-block/hosts/moon/etc/ipsec.secrets | 6 - .../tnccs-20-block/hosts/moon/etc/strongswan.conf | 25 ++-- .../hosts/moon/etc/swanctl/swanctl.conf | 39 +++++ testing/tests/tnc/tnccs-20-block/posttest.dat | 7 +- testing/tests/tnc/tnccs-20-block/pretest.dat | 15 +- testing/tests/tnc/tnccs-20-block/test.conf | 3 + .../tests/tnc/tnccs-20-client-retry/evaltest.dat | 14 +- .../hosts/carol/etc/ipsec.conf | 23 --- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 20 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../hosts/dave/etc/ipsec.conf | 23 --- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../hosts/moon/etc/ipsec.conf | 34 ----- .../hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 19 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ .../tests/tnc/tnccs-20-client-retry/posttest.dat | 6 +- .../tests/tnc/tnccs-20-client-retry/pretest.dat | 14 +- testing/tests/tnc/tnccs-20-client-retry/test.conf | 3 + .../tnccs-20-fail-init/hosts/carol/etc/ipsec.conf | 23 --- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 19 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnccs-20-fail-init/hosts/dave/etc/ipsec.conf | 23 --- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnccs-20-fail-init/hosts/moon/etc/ipsec.conf | 34 ----- .../hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 19 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20-fail-init/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-fail-init/pretest.dat | 14 +- testing/tests/tnc/tnccs-20-fail-init/test.conf | 3 + .../tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf | 23 --- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 20 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf | 34 ----- .../hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 19 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20-fail-resp/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-fail-resp/pretest.dat | 8 +- testing/tests/tnc/tnccs-20-fail-resp/test.conf | 3 + testing/tests/tnc/tnccs-20-fhh/evaltest.dat | 17 ++- .../tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon | 158 +++++++++++++++++++++ .../tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets | 3 - .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf | 20 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon | 158 +++++++++++++++++++++ .../tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon | 158 +++++++++++++++++++++ .../tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets | 6 - .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf | 15 +- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20-fhh/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-fhh/pretest.dat | 15 +- testing/tests/tnc/tnccs-20-fhh/test.conf | 3 + testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat | 1 - .../tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf | 9 -- .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 ---- .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 ---- .../tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets | 3 - .../hosts/alice/etc/strongswan.conf | 14 +- .../hosts/alice/etc/swanctl/rsa/aaaKey.pem | 27 ++++ .../hosts/alice/etc/swanctl/swanctl.conf | 0 .../hosts/alice/etc/swanctl/x509/aaaCert.pem | 25 ++++ .../tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf | 24 ---- .../hosts/carol/etc/strongswan.conf | 19 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++++ .../tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf | 24 ---- .../hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 27 ++++ .../tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf | 33 ----- .../tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 7 +- .../hosts/moon/etc/swanctl/swanctl.conf | 53 +++++++ testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat | 10 +- testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat | 14 +- testing/tests/tnc/tnccs-20-hcd-eap/test.conf | 3 + .../tnc/tnccs-20-mutual-eap-fail/description.txt | 5 + .../tnc/tnccs-20-mutual-eap-fail/evaltest.dat | 7 + .../hosts/moon/etc/strongswan.conf | 45 ++++++ .../hosts/moon/etc/swanctl/swanctl.conf | 28 ++++ .../hosts/moon/etc/tnc_config | 4 + .../hosts/sun/etc/strongswan.conf | 47 ++++++ .../hosts/sun/etc/swanctl/swanctl.conf | 28 ++++ .../hosts/sun/etc/tnc_config | 4 + .../tnc/tnccs-20-mutual-eap-fail/posttest.dat | 4 + .../tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat | 6 + .../tests/tnc/tnccs-20-mutual-eap-fail/test.conf | 25 ++++ .../tests/tnc/tnccs-20-mutual-eap/description.txt | 5 +- testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat | 12 +- .../tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf | 23 --- .../hosts/moon/etc/strongswan.conf | 23 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 28 ++++ .../tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf | 23 --- .../hosts/sun/etc/strongswan.conf | 23 ++- .../hosts/sun/etc/swanctl/swanctl.conf | 28 ++++ testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat | 8 +- testing/tests/tnc/tnccs-20-mutual-eap/test.conf | 4 + .../hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/pts/options | 6 +- .../hosts/moon/etc/strongswan.conf | 6 +- .../hosts/moon/etc/swanctl/swanctl.conf | 1 + .../hosts/sun/etc/ipsec.conf | 9 -- .../hosts/sun/etc/strongswan.conf | 19 ++- .../hosts/sun/etc/swantcl/swanctl.conf | 0 .../tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat | 2 +- .../tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf | 4 + testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 8 +- .../tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf | 23 --- .../tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 21 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf | 23 --- .../tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 21 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf | 34 ----- .../tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets | 6 - .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 20 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 16 ++- testing/tests/tnc/tnccs-20-os-pts/test.conf | 4 + testing/tests/tnc/tnccs-20-os/evaltest.dat | 8 +- .../tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets | 3 - .../tnccs-20-os/hosts/carol/etc/strongswan.conf | 20 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets | 3 - .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets | 6 - .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 19 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20-os/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-os/pretest.dat | 19 +-- testing/tests/tnc/tnccs-20-os/test.conf | 6 +- testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 8 +- .../tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf | 9 -- .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 ---- .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 ---- .../tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets | 6 - .../hosts/alice/etc/strongswan.conf | 14 +- .../hosts/alice/etc/swanctl/rsa/aaaKey.pem | 27 ++++ .../hosts/alice/etc/swanctl/swanctl.conf | 11 ++ .../hosts/alice/etc/swanctl/x509/aaaCert.pem | 25 ++++ .../tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf | 23 --- .../tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 21 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf | 23 --- .../tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 21 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf | 33 ----- .../tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 8 +- .../hosts/moon/etc/swanctl/swanctl.conf | 53 +++++++ testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 10 +- testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 18 ++- testing/tests/tnc/tnccs-20-pdp-eap/test.conf | 3 + .../tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf | 9 -- .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 ---- .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 ---- .../hosts/alice/etc/ipsec.secrets | 6 - .../hosts/alice/etc/strongswan.conf | 15 +- .../hosts/alice/etc/swanctl/rsa/aaaKey.pem | 27 ++++ .../hosts/alice/etc/swanctl/swanctl.conf | 7 + .../hosts/alice/etc/swanctl/x509/aaaCert.pem | 25 ++++ .../tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf | 3 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/pts/options | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 1 + .../tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf | 3 - .../hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options | 6 +- .../hosts/dave/etc/swanctl/swanctl.conf | 1 + .../tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf | 3 - .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/swanctl/swanctl.conf | 1 + testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 4 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 4 + testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat | 8 +- .../tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf | 23 --- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 21 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf | 23 --- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 22 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf | 34 ----- .../hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 20 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 14 +- testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf | 3 + testing/tests/tnc/tnccs-20-pts/evaltest.dat | 8 +- .../hosts/carol/etc/.strongswan.conf.swp | Bin 0 -> 12288 bytes .../tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets | 3 - .../tnccs-20-pts/hosts/carol/etc/strongswan.conf | 21 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 23 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets | 6 - .../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 22 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20-pts/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-pts/pretest.dat | 14 +- testing/tests/tnc/tnccs-20-pts/test.conf | 3 + .../tests/tnc/tnccs-20-server-retry/evaltest.dat | 13 +- .../hosts/carol/etc/ipsec.conf | 23 --- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 20 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../hosts/dave/etc/ipsec.conf | 23 --- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../hosts/moon/etc/ipsec.conf | 34 ----- .../hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 19 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ .../tests/tnc/tnccs-20-server-retry/posttest.dat | 6 +- .../tests/tnc/tnccs-20-server-retry/pretest.dat | 14 +- testing/tests/tnc/tnccs-20-server-retry/test.conf | 3 + testing/tests/tnc/tnccs-20-tls/evaltest.dat | 13 +- .../tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf | 23 --- .../tnccs-20-tls/hosts/carol/etc/strongswan.conf | 20 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 27 ++++ .../tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf | 23 --- .../tnccs-20-tls/hosts/dave/etc/strongswan.conf | 20 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 27 ++++ .../tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets | 6 - .../tnccs-20-tls/hosts/moon/etc/strongswan.conf | 19 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 50 +++++++ testing/tests/tnc/tnccs-20-tls/posttest.dat | 6 +- testing/tests/tnc/tnccs-20-tls/pretest.dat | 10 +- testing/tests/tnc/tnccs-20-tls/test.conf | 3 + testing/tests/tnc/tnccs-20/evaltest.dat | 13 +- .../tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf | 23 --- .../tnc/tnccs-20/hosts/carol/etc/ipsec.secrets | 3 - .../tnc/tnccs-20/hosts/carol/etc/strongswan.conf | 20 ++- .../tnccs-20/hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-20/hosts/dave/etc/ipsec.secrets | 3 - .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf | 19 ++- .../tnccs-20/hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-20/hosts/moon/etc/ipsec.secrets | 6 - .../tnc/tnccs-20/hosts/moon/etc/strongswan.conf | 19 ++- .../tnccs-20/hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-20/posttest.dat | 6 +- testing/tests/tnc/tnccs-20/pretest.dat | 14 +- testing/tests/tnc/tnccs-20/test.conf | 3 + testing/tests/tnc/tnccs-dynamic/evaltest.dat | 13 +- .../tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf | 23 --- .../tnccs-dynamic/hosts/carol/etc/ipsec.secrets | 3 - .../tnccs-dynamic/hosts/carol/etc/strongswan.conf | 19 ++- .../hosts/carol/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf | 23 --- .../tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets | 3 - .../tnccs-dynamic/hosts/dave/etc/strongswan.conf | 19 ++- .../hosts/dave/etc/swanctl/swanctl.conf | 35 +++++ .../tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf | 34 ----- .../tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets | 6 - .../tnccs-dynamic/hosts/moon/etc/strongswan.conf | 20 ++- .../hosts/moon/etc/swanctl/swanctl.conf | 64 +++++++++ testing/tests/tnc/tnccs-dynamic/posttest.dat | 6 +- testing/tests/tnc/tnccs-dynamic/pretest.dat | 14 +- testing/tests/tnc/tnccs-dynamic/test.conf | 3 + 996 files changed, 10059 insertions(+), 3563 deletions(-) delete mode 100644 testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/af-alg/rw-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/description.txt create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/posttest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/pretest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-revoked/test.conf create mode 100644 testing/tests/ikev2/redirect-active/description.txt create mode 100644 testing/tests/ikev2/redirect-active/evaltest.dat create mode 100644 testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules create mode 100644 testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/redirect-active/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/redirect-active/posttest.dat create mode 100644 testing/tests/ikev2/redirect-active/pretest.dat create mode 100644 testing/tests/ikev2/redirect-active/test.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-cert/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-cert/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf delete mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets create mode 100644 testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/config-payload/description.txt create mode 100755 testing/tests/swanctl/config-payload/evaltest.dat create mode 100755 testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf create mode 100755 testing/tests/swanctl/config-payload/posttest.dat create mode 100755 testing/tests/swanctl/config-payload/pretest.dat create mode 100755 testing/tests/swanctl/config-payload/test.conf create mode 100644 testing/tests/swanctl/dhcp-dynamic/description.txt create mode 100644 testing/tests/swanctl/dhcp-dynamic/evaltest.dat create mode 100755 testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf create mode 100644 testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules create mode 100755 testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf create mode 100644 testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf create mode 100644 testing/tests/swanctl/dhcp-dynamic/posttest.dat create mode 100644 testing/tests/swanctl/dhcp-dynamic/pretest.dat create mode 100644 testing/tests/swanctl/dhcp-dynamic/test.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf create mode 100644 testing/tests/swanctl/net2net-pubkey/description.txt create mode 100644 testing/tests/swanctl/net2net-pubkey/evaltest.dat create mode 100644 testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem create mode 100644 testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/sunPub.pem create mode 100755 testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/moonPub.pem create mode 100644 testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem create mode 100755 testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/net2net-pubkey/posttest.dat create mode 100644 testing/tests/swanctl/net2net-pubkey/pretest.dat create mode 100644 testing/tests/swanctl/net2net-pubkey/test.conf create mode 100644 testing/tests/swanctl/protoport-dual/description.txt create mode 100644 testing/tests/swanctl/protoport-dual/evaltest.dat create mode 100644 testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/protoport-dual/posttest.dat create mode 100644 testing/tests/swanctl/protoport-dual/pretest.dat create mode 100644 testing/tests/swanctl/protoport-dual/test.conf create mode 100644 testing/tests/swanctl/protoport-range/description.txt create mode 100644 testing/tests/swanctl/protoport-range/evaltest.dat create mode 100644 testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/protoport-range/posttest.dat create mode 100644 testing/tests/swanctl/protoport-range/pretest.dat create mode 100644 testing/tests/swanctl/protoport-range/test.conf create mode 100644 testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem create mode 100644 testing/tests/swanctl/rw-dnssec/description.txt create mode 100644 testing/tests/swanctl/rw-dnssec/evaltest.dat create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.der create mode 100755 testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.der create mode 100755 testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys create mode 100644 testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/pubkey/moonPub.der create mode 100755 testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-dnssec/posttest.dat create mode 100644 testing/tests/swanctl/rw-dnssec/pretest.dat create mode 100644 testing/tests/swanctl/rw-dnssec/test.conf create mode 100644 testing/tests/swanctl/rw-ntru-bliss/description.txt create mode 100644 testing/tests/swanctl/rw-ntru-bliss/evaltest.dat create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der create mode 100755 testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509/carolCert.der create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der create mode 100755 testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509/daveCert.der create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der create mode 100755 testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509/moonCert.der create mode 100644 testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der create mode 100644 testing/tests/swanctl/rw-ntru-bliss/posttest.dat create mode 100644 testing/tests/swanctl/rw-ntru-bliss/pretest.dat create mode 100644 testing/tests/swanctl/rw-ntru-bliss/test.conf create mode 100755 testing/tests/swanctl/rw-psk-ikev1/description.txt create mode 100755 testing/tests/swanctl/rw-psk-ikev1/evaltest.dat create mode 100755 testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-psk-ikev1/posttest.dat create mode 100755 testing/tests/swanctl/rw-psk-ikev1/pretest.dat create mode 100755 testing/tests/swanctl/rw-psk-ikev1/test.conf create mode 100755 testing/tests/swanctl/rw-pubkey-anon/description.txt create mode 100755 testing/tests/swanctl/rw-pubkey-anon/evaltest.dat create mode 100755 testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/carolPub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/moonPub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem create mode 100755 testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/davePub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/moonPub.pem create mode 100755 testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/carolPub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/davePub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/moonPub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/sunPub.pem create mode 100755 testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-pubkey-anon/posttest.dat create mode 100755 testing/tests/swanctl/rw-pubkey-anon/pretest.dat create mode 100755 testing/tests/swanctl/rw-pubkey-anon/test.conf create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/description.txt create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/carolPub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/moonPub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/davePub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/moonPub.pem create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/carolPub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/davePub.pem create mode 100644 testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/moonPub.pem create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/posttest.dat create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/pretest.dat create mode 100755 testing/tests/swanctl/rw-pubkey-keyid/test.conf create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/description.txt create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat create mode 100644 testing/tests/swanctl/shunt-policies-nat-rw/test.conf create mode 100644 testing/tests/swanctl/xauth-rsa/description.txt create mode 100644 testing/tests/swanctl/xauth-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/xauth-rsa/posttest.dat create mode 100644 testing/tests/swanctl/xauth-rsa/pretest.dat create mode 100644 testing/tests/swanctl/xauth-rsa/test.conf create mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf create mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem create mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/swantcl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp delete mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf (limited to 'testing') diff --git a/testing/Makefile.in b/testing/Makefile.in index b66c2be76..f797f1767 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/testing/do-tests b/testing/do-tests index c87ba05a7..2a424e523 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -520,6 +520,14 @@ do IPTABLES_DSP="iptables -L ; ip6tables -L" fi + for host in $DBHOSTS + do + eval HOSTLOGIN=root@\$ipv4_${host} + + scp $SSHCONF $HOSTLOGIN:/etc/db.d/ipsec.sql \ + $TESTRESULTDIR/${host}.ipsec.sql > /dev/null 2>&1 + done + for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} @@ -531,15 +539,20 @@ do scp $SSHCONF $HOSTLOGIN:/etc/swanctl/swanctl.conf \ $TESTRESULTDIR/${host}.swanctl.conf > /dev/null 2>&1 - for subsys in conns certs pools authorities sas pols + for subsys in conns algs certs pools authorities sas pols do ssh $SSHCONF $HOSTLOGIN swanctl --list-$subsys \ > $TESTRESULTDIR/${host}.swanctl.$subsys 2>/dev/null done - # this is quite slow due to allocation stats via leak-detective ssh $SSHCONF $HOSTLOGIN swanctl --stats \ > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null + + echo "" >> $TESTRESULTDIR/${host}.swanctl.sas + cat $TESTRESULTDIR/${host}.swanctl.pols >> \ + $TESTRESULTDIR/${host}.swanctl.sas + cat $TESTRESULTDIR/${host}.swanctl.algs >> \ + $TESTRESULTDIR/${host}.swanctl.stats else for file in ipsec.conf ipsec.secrets do @@ -552,9 +565,11 @@ do ssh $SSHCONF $HOSTLOGIN ipsec $command \ > $TESTRESULTDIR/${host}.$command 2>/dev/null done + fi - scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \ - $TESTRESULTDIR/${host}.ipsec.sql > /dev/null 2>&1 + if (! [ -f $TESTRESULTDIR/${host}.ipsec.sql ] ) then + scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \ + $TESTRESULTDIR/${host}.ipsec.sql > /dev/null 2>&1 fi ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \ @@ -578,16 +593,16 @@ do
  • swanctl.conf
  • swanctl --list-conns
  • swanctl --list-certs
    • -
  • swanctl --list-pools
  • strongswan.conf
    • +
  • ipsec.sql
    • diff --git a/testing/hosts/alice/etc/ipsec.d/ipsec.sql b/testing/hosts/alice/etc/ipsec.d/ipsec.sql index da38e9ab4..c80052d69 100644 --- a/testing/hosts/alice/etc/ipsec.d/ipsec.sql +++ b/testing/hosts/alice/etc/ipsec.d/ipsec.sql @@ -1,4 +1,4 @@ /* strongSwan SQLite database */ -/* configuration is read from ipsec.conf */ -/* credentials are read from ipsec.secrets */ +/* configuration is read from swanctl.conf or ipsec.conf */ +/* credentials are read from swanctl.conf or ipsec.secrets */ diff --git a/testing/hosts/bob/etc/ipsec.d/ipsec.sql b/testing/hosts/bob/etc/ipsec.d/ipsec.sql index da38e9ab4..c80052d69 100644 --- a/testing/hosts/bob/etc/ipsec.d/ipsec.sql +++ b/testing/hosts/bob/etc/ipsec.d/ipsec.sql @@ -1,4 +1,4 @@ /* strongSwan SQLite database */ -/* configuration is read from ipsec.conf */ -/* credentials are read from ipsec.secrets */ +/* configuration is read from swanctl.conf or ipsec.conf */ +/* credentials are read from swanctl.conf or ipsec.secrets */ diff --git a/testing/hosts/carol/etc/ipsec.d/ipsec.sql b/testing/hosts/carol/etc/ipsec.d/ipsec.sql index da38e9ab4..c80052d69 100644 --- a/testing/hosts/carol/etc/ipsec.d/ipsec.sql +++ b/testing/hosts/carol/etc/ipsec.d/ipsec.sql @@ -1,4 +1,4 @@ /* strongSwan SQLite database */ -/* configuration is read from ipsec.conf */ -/* credentials are read from ipsec.secrets */ +/* configuration is read from swanctl.conf or ipsec.conf */ +/* credentials are read from swanctl.conf or ipsec.secrets */ diff --git a/testing/hosts/dave/etc/ipsec.d/ipsec.sql b/testing/hosts/dave/etc/ipsec.d/ipsec.sql index da38e9ab4..c80052d69 100644 --- a/testing/hosts/dave/etc/ipsec.d/ipsec.sql +++ b/testing/hosts/dave/etc/ipsec.d/ipsec.sql @@ -1,4 +1,4 @@ /* strongSwan SQLite database */ -/* configuration is read from ipsec.conf */ -/* credentials are read from ipsec.secrets */ +/* configuration is read from swanctl.conf or ipsec.conf */ +/* credentials are read from swanctl.conf or ipsec.secrets */ diff --git a/testing/hosts/default/usr/local/bin/expect-connection b/testing/hosts/default/usr/local/bin/expect-connection index 10a709255..17e2b7fbe 100755 --- a/testing/hosts/default/usr/local/bin/expect-connection +++ b/testing/hosts/default/usr/local/bin/expect-connection @@ -15,10 +15,16 @@ fi secs=$2 [ ! $secs ] && secs=5 +cmd="swanctl --list-conns" +grep 'load.*stroke' /etc/strongswan.conf >/dev/null +if [ $? -eq 0 ]; then + cmd="ipsec statusall" +fi + let steps=$secs*10 for i in `seq 1 $steps` do - ipsec statusall 2>&1 | grep ^[[:space:]]*$1: >/dev/null + $cmd 2>&1 | grep ^[[:space:]]*$1: >/dev/null [ $? -eq 0 ] && exit 0 sleep 0.1 done diff --git a/testing/hosts/moon/etc/ipsec.d/ipsec.sql b/testing/hosts/moon/etc/ipsec.d/ipsec.sql index da38e9ab4..c80052d69 100644 --- a/testing/hosts/moon/etc/ipsec.d/ipsec.sql +++ b/testing/hosts/moon/etc/ipsec.d/ipsec.sql @@ -1,4 +1,4 @@ /* strongSwan SQLite database */ -/* configuration is read from ipsec.conf */ -/* credentials are read from ipsec.secrets */ +/* configuration is read from swanctl.conf or ipsec.conf */ +/* credentials are read from swanctl.conf or ipsec.secrets */ diff --git a/testing/hosts/sun/etc/ipsec.d/ipsec.sql b/testing/hosts/sun/etc/ipsec.d/ipsec.sql index da38e9ab4..c80052d69 100644 --- a/testing/hosts/sun/etc/ipsec.d/ipsec.sql +++ b/testing/hosts/sun/etc/ipsec.d/ipsec.sql @@ -1,4 +1,4 @@ /* strongSwan SQLite database */ -/* configuration is read from ipsec.conf */ -/* credentials are read from ipsec.secrets */ +/* configuration is read from swanctl.conf or ipsec.conf */ +/* credentials are read from swanctl.conf or ipsec.secrets */ diff --git a/testing/hosts/venus/etc/ipsec.d/ipsec.sql b/testing/hosts/venus/etc/ipsec.d/ipsec.sql index da38e9ab4..c80052d69 100644 --- a/testing/hosts/venus/etc/ipsec.d/ipsec.sql +++ b/testing/hosts/venus/etc/ipsec.d/ipsec.sql @@ -1,4 +1,4 @@ /* strongSwan SQLite database */ -/* configuration is read from ipsec.conf */ -/* credentials are read from ipsec.secrets */ +/* configuration is read from swanctl.conf or ipsec.conf */ +/* credentials are read from swanctl.conf or ipsec.secrets */ diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl index 842c3a1b2..de3c13dcf 100755 --- a/testing/hosts/winnetou/etc/openssl/generate-crl +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -24,6 +24,9 @@ openssl crl -in crl.pem -outform der -out strongswan.crl cp strongswan.crl ${ROOT} cp strongswanCert.pem ${ROOT} cp index.html ${ROOT} +# revoke moon's current CERT +pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --reason key-compromise --cert newcerts/2B.pem --lastcrl strongswan.crl > strongswan_moon_revoked.crl +cp strongswan_moon_revoked.crl ${ROOT} cd /etc/openssl/research openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem openssl crl -in crl.pem -outform der -out research.crl diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 994acaa28..f205df33b 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -98,7 +98,6 @@ CONFIG_OPTS = \ --enable-tkm \ --enable-ntru \ --enable-lookip \ - --enable-swanctl \ --enable-bliss \ --enable-sha3 diff --git a/testing/tests/af-alg/alg-camellia/description.txt b/testing/tests/af-alg/alg-camellia/description.txt index b3515c333..87679788f 100644 --- a/testing/tests/af-alg/alg-camellia/description.txt +++ b/testing/tests/af-alg/alg-camellia/description.txt @@ -1,4 +1,3 @@ Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as -the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 -in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. +HMAC_SHA2_512_256 / PRF_HMAC_SHA2_512 / MODP_3072 well as the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA384_192. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/af-alg/alg-camellia/evaltest.dat b/testing/tests/af-alg/alg-camellia/evaltest.dat index 2096cb994..d88c52638 100644 --- a/testing/tests/af-alg/alg-camellia/evaltest.dat +++ b/testing/tests/af-alg/alg-camellia/evaltest.dat @@ -1,10 +1,6 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 11dece402..000000000 --- a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp2048! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf index 28b9e5822..81a85aa06 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } } diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..acba9cecb --- /dev/null +++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ecbb94dca..000000000 --- a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp2048! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf index 28b9e5822..81a85aa06 100644 --- a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,10 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } } diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1c06bb2ce --- /dev/null +++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat index 046d4cfdc..2fc2bbb75 100644 --- a/testing/tests/af-alg/alg-camellia/posttest.dat +++ b/testing/tests/af-alg/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat index de4acbbf0..41255bccb 100644 --- a/testing/tests/af-alg/alg-camellia/pretest.dat +++ b/testing/tests/af-alg/alg-camellia/pretest.dat @@ -1,6 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/af-alg/alg-camellia/test.conf b/testing/tests/af-alg/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/af-alg/alg-camellia/test.conf +++ b/testing/tests/af-alg/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/af-alg/rw-cert/description.txt b/testing/tests/af-alg/rw-cert/description.txt index d0c5e9200..13f20d1e2 100644 --- a/testing/tests/af-alg/rw-cert/description.txt +++ b/testing/tests/af-alg/rw-cert/description.txt @@ -5,8 +5,8 @@ encryption and hash functions whereas roadwarrior dave uses the default

    The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnel automatically iptables-based +firewall rules are inserted which let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/af-alg/rw-cert/evaltest.dat b/testing/tests/af-alg/rw-cert/evaltest.dat index ba661975b..3cd928be5 100644 --- a/testing/tests/af-alg/rw-cert/evaltest.dat +++ b/testing/tests/af-alg/rw-cert/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 214a8de28..000000000 --- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp1536! - esp=3des-sha1! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf index 2d08b38bc..3610ac699 100644 --- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } integrity_test = yes crypto_test { diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..22fe14f92 --- /dev/null +++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-modp1536 + } + } + version = 2 + proposals = 3des-sha1-modp1536 + } +} diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 7fa2966d2..000000000 --- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp2048! - esp=aes128-sha256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf index f7b335e72..afa7afe83 100644 --- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,11 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown + load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } integrity_test = yes crypto_test { - required = yes on_add = yes } } diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b3622f50e --- /dev/null +++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index fc3eea283..000000000 --- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp2048,3des-sha1-modp1536! - esp=aes128-sha256,3des-sha1! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf index 2d08b38bc..3610ac699 100644 --- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown + load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } integrity_test = yes crypto_test { diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ccd247af0 --- /dev/null +++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } + } + version = 2 + proposals = aes128-sha256-modp3072,3des-sha1-modp1536 + } +} diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat index 1865a1c60..d7107ccc6 100644 --- a/testing/tests/af-alg/rw-cert/posttest.dat +++ b/testing/tests/af-alg/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat index 855c273cc..7652f460e 100644 --- a/testing/tests/af-alg/rw-cert/pretest.dat +++ b/testing/tests/af-alg/rw-cert/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection net +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -carol::ipsec up home -dave::ipsec up home \ No newline at end of file +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/af-alg/rw-cert/test.conf b/testing/tests/af-alg/rw-cert/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/af-alg/rw-cert/test.conf +++ b/testing/tests/af-alg/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat index 5f0bb3cdc..236647b56 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat @@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf index 11dece402..f0bbfc10f 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -8,7 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=camellia256-sha512-modp2048! + ike=camellia256-sha512-modp3072! esp=camellia192-sha384! conn home diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf index ecbb94dca..8481f8974 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -8,7 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=camellia256-sha512-modp2048! + ike=camellia256-sha512-modp3072! esp=camellia192-sha384! conn rw diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index f1a4b964c..15c4ad7d1 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start +moon::expect-connection rw carol::expect-connection home dave::expect-connection home carol::ipsec up home diff --git a/testing/tests/ha/active-passive/pretest.dat b/testing/tests/ha/active-passive/pretest.dat index 2bdab2839..f82e48437 100644 --- a/testing/tests/ha/active-passive/pretest.dat +++ b/testing/tests/ha/active-passive/pretest.dat @@ -11,7 +11,6 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start alice::ipsec start -moon::ipsec start moon::sleep 2 alice::echo "+1" > /var/run/charon.ha carol::ipsec start diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat index abd29e97e..ad0ebd48c 100644 --- a/testing/tests/ikev1/alg-3des-md5/evaltest.dat +++ b/testing/tests/ikev1/alg-3des-md5/evaltest.dat @@ -5,8 +5,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED::YES moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES +moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES moon:: ip xfrm state::enc cbc(des3_ede)::YES carol::ip xfrm state::enc cbc(des3_ede)::YES moon:: ip xfrm state::auth-trunc hmac(md5)::YES diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat index eba856742..364d89f59 100644 --- a/testing/tests/ikev1/alg-sha256/evaltest.dat +++ b/testing/tests/ikev1/alg-sha256/evaltest.dat @@ -2,11 +2,11 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128/MODP_3072,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/MODP_3072,::YES moon:: ip xfrm state::auth-trunc hmac(sha256)::YES carol::ip xfrm state::auth-trunc hmac(sha256)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf index 73e25710b..1c227978e 100644 --- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes128-sha256-modp2048! - esp=aes128-sha256-modp2048! + ike=aes128-sha256-modp3072! + esp=aes128-sha256-modp3072! conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf index 0a6f48e69..177aebf52 100644 --- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes128-sha256-modp2048! - esp=aes128-sha256-modp2048! + ike=aes128-sha256-modp3072! + esp=aes128-sha256-modp3072! conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat index 3b24217c5..14f0ba479 100644 --- a/testing/tests/ikev1/alg-sha384/evaltest.dat +++ b/testing/tests/ikev1/alg-sha384/evaltest.dat @@ -5,8 +5,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192/MODP_3072,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/MODP_3072,::YES moon:: ip xfrm state::auth-trunc hmac(sha384)::YES carol::ip xfrm state::auth-trunc hmac(sha384)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat index 6bdceeb44..6f8c05d5b 100644 --- a/testing/tests/ikev1/alg-sha512/evaltest.dat +++ b/testing/tests/ikev1/alg-sha512/evaltest.dat @@ -5,8 +5,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES moon:: ip xfrm state::auth-trunc hmac(sha512)::YES carol::ip xfrm state::auth-trunc hmac(sha512)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf index 6c22fd548..7d97dd229 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown -} -libhydra { plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat index d568273d1..fe148cd10 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol@strongswan.org' successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat index ee60292a3..a88debd3e 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat index f11018347..c896b5f67 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat @@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf index 74668e7fb..c9e9e92e5 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-aesxcbc-modp2048! - esp=aes128-aesxcbc-modp2048! + ike=aes128-aesxcbc-modp3072! + esp=aes128-aesxcbc-modp3072! conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf index 3cda72935..4e4a9324f 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-aesxcbc-modp2048! - esp=aes128-aesxcbc-modp2048! + ike=aes128-aesxcbc-modp3072! + esp=aes128-aesxcbc-modp3072! conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat index 6c4e23710..8ad0fb2b2 100644 --- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat +++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat @@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf index 0d3b9fd45..90a143678 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-modp2048! - esp=aes128-sha256_96-modp2048! + ike=aes128-sha256-modp3072! + esp=aes128-sha256_96-modp3072! conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf index b0a5c4616..e0b2625c0 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-modp2048! - esp=aes128-sha256_96-modp2048! + ike=aes128-sha256-modp3072! + esp=aes128-sha256_96-modp3072! conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat index eba856742..c826c3f60 100644 --- a/testing/tests/ikev2/alg-sha256/evaltest.dat +++ b/testing/tests/ikev2/alg-sha256/evaltest.dat @@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf index 22d2cd38a..6890ea458 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-modp2048! - esp=aes128-sha256-modp2048! + ike=aes128-sha256-modp3072! + esp=aes128-sha256-modp3072! conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf index 543374d76..583111893 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-sha256-modp2048! - esp=aes128-sha256-modp2048! + ike=aes128-sha256-modp3072! + esp=aes128-sha256-modp3072! conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf index 6c22fd548..7d97dd229 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown -} -libhydra { plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf index 6c22fd548..7d97dd229 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown -} -libhydra { plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf index cf3b0d81b..b238646ac 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown -} -libhydra { plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf index cf3b0d81b..b238646ac 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown -} -libhydra { plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf index 5176e2a4d..da157a5ee 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql -} -libhydra { plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat index 56c1785cc..3aa610b38 100644 --- a/testing/tests/ikev2/ip-two-pools/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools/pretest.dat @@ -1,8 +1,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::iptables-restore < /etc/iptables.rules -carol::ipsec start moon::ipsec start +carol::ipsec start alice::ipsec start carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb-revoked/description.txt b/testing/tests/ikev2/reauth-mbb-revoked/description.txt new file mode 100644 index 000000000..4e27a0b82 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/description.txt @@ -0,0 +1,15 @@ +This scenario tests make-before-break reauthentication using overlapping +IKE_SAs by setting the make_before_break strongswan.conf option. The +initiator carol reauthenticates the IKE_SA with host moon using +ikelifetime=10s, but does not close the old IKE_SA before the replacement +CHILD_SA is in place. A constant ping from carol to client alice +hiding in the subnet behind moon tests if the CHILD_SA works during the +whole procedure. +

    +Because the responder is always able to install CHILD_SAs before the initiator +is, some traffic sent by the responder over such a CHILD_SA might get dropped by +the initiator (until it also installed the CHILD_SA). This is particularly +problematic if OCSP/CRL checks are delayed or if they can also be done via the +IPsec tunnel once it's established. Therefore, online OCSP/CRL checks are +suspended during the reauthentication and done afterwards. This is verified here +by revoking the responder's certificate after the SA got initially established. diff --git a/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat b/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat new file mode 100644 index 000000000..8fe9a2360 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat @@ -0,0 +1,10 @@ +winnetou::cp /var/www/strongswan.crl /var/www/strongswan.crl.bak +winnetou::cp /var/www/strongswan_moon_revoked.crl /var/www/strongswan.crl +carol::ipsec purgecrls +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::sleep 6 +carol::cat /var/log/daemon.log::certificate was revoked.*key compromise::YES +carol::cat /var/log/daemon.log::peer certificate verification failed, deleting SA::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO +carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::NO diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..ec2b41d29 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + +conn %default + keylife=20m + ikelifetime=10s + rekeymargin=5s + rekeyfuzz=0% + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f89437e43 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..93ae34cf7 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + +conn %default + ikelifetime=30m + keylife=20m + rekeymargin=0s + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f585edfca --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat b/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat new file mode 100644 index 000000000..d0d591585 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat @@ -0,0 +1,3 @@ +winnetou::cp /var/www/strongswan.crl.bak /var/www/strongswan.crl +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat new file mode 100644 index 000000000..3a1982f8a --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb-revoked/test.conf b/testing/tests/ikev2/reauth-mbb-revoked/test.conf new file mode 100644 index 000000000..4a5fc470f --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/redirect-active/description.txt b/testing/tests/ikev2/redirect-active/description.txt new file mode 100644 index 000000000..942c66ebf --- /dev/null +++ b/testing/tests/ikev2/redirect-active/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to gateway alice, which identifies itself as mars. +Host venus in the subnet behind this gateway uses gateway moon as +default gateway, so it is not fully reachable by the two roadwarriors. +Then both SAs are actively redirected with the swanctl --redirect +command to gateway moon (also identified as mars) using the +mechanism described in RFC 5685 enabling the roadwarriors to +ping venus. diff --git a/testing/tests/ikev2/redirect-active/evaltest.dat b/testing/tests/ikev2/redirect-active/evaltest.dat new file mode 100644 index 000000000..6d84173cd --- /dev/null +++ b/testing/tests/ikev2/redirect-active/evaltest.dat @@ -0,0 +1,28 @@ +alice::ipsec status 2> /dev/null::rw\[1].*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES +alice::ipsec status 2> /dev/null::rw\[2].*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*mars.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*mars.strongswan.org::YES +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +alice::swanctl --redirect --peer-ip PH_IP_CAROL --gateway 192.168.0.1::redirect completed successfully::YES +alice::swanctl --redirect --peer-id dave@strongswan.org --gateway moon.strongswan.org::redirect completed successfully::YES +carol::sleep 1::No output expected::NO +carol::cat /var/log/daemon.log::redirected to 192.168.0.1::YES +dave::cat /var/log/daemon.log::redirected to moon.strongswan.org::YES +moon::cat /var/log/daemon.log::client got redirected from 192.168.0.5::YES +moon::ipsec status 2> /dev/null::rw\[1].*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw\[2].*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES +carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::NO +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES +dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::NO +dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES +venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..6a810552b --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..cf0977489 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBNDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE1MTEyNjA4MjQ1M1oXDTE5MDkwNjA4MjQ1M1owZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxTvcinIErfzu8YZKl+a2MNTVY ++qjG83OkweWjWed/egAugxRjTyWeKjrSNf6DWpXC0pNhzja+Sj0njz4Kq8VczkFB +/yYEkFKpdpFQHXvbQo5h7wn1i3Omhvou5x0rRfddRpLGl7Z/Xg8gnHsZMHHN60hI +qiLZdRSu5QF25WNcy9tO58gz8Hvo5jsk8YDu6eGYolaygQo3cqxx/r8yWzehju0F +oWm4sLOrq+OTegeCQYI8PsOALAwLWgWdGfMPMT0ntq9tD97AcUD0EilvcXVdmwUW +44/hM9BZ0JS7N7Wv6fgIChC7xhZj1yo6vY+FDsmNMhz7vdeulKx2dqRJkn0XAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUvo44 +06FQwLI8P6VqNehTNHa2LNMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCWvHc0v5BhxsLRxPvcOu1bVoeexzA/5nftfRly +PumU2hYFQ8p7soJiT/jYPmnfNvl6halnmS0FrqLdTMNfXj/6WCZ3w4Xnokc5PYW4 +oL1VqdEgR7jyQjifZuzRkuPw+yAFoT+HbMttLdRMVTq9NXlPXtGaJTWbx5Z/gGP3 +1Ry47WhvzJyRSysPh/+9WJFOwS6nf6DFbNuyVtNXQRzXjpsGefZgN9ysntNRFMMZ +V0j+zFIkLBLh2WBkJsuLQM9EFAlZrpQZ7iwHuz7gU0jATxN6Qxnn9AemNPl4k8T3 +igPXeVhDbZFeTc+u/Z7X5i1HXhks2QGz/zGee6no54XOnBWB +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/private/marsKey.pem b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..14f9440ee --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAsU73IpyBK387vGGSpfmtjDU1WPqoxvNzpMHlo1nnf3oALoMU +Y08lnio60jX+g1qVwtKTYc42vko9J48+CqvFXM5BQf8mBJBSqXaRUB1720KOYe8J +9Ytzpob6LucdK0X3XUaSxpe2f14PIJx7GTBxzetISKoi2XUUruUBduVjXMvbTufI +M/B76OY7JPGA7unhmKJWsoEKN3Kscf6/Mls3oY7tBaFpuLCzq6vjk3oHgkGCPD7D +gCwMC1oFnRnzDzE9J7avbQ/ewHFA9BIpb3F1XZsFFuOP4TPQWdCUuze1r+n4CAoQ +u8YWY9cqOr2PhQ7JjTIc+73XrpSsdnakSZJ9FwIDAQABAoIBAQCe+TYMClamMUXV ++YYK2noIJAzY4qVA/DbLmi3S8GDnovNWwKAfCm+oCCUFJPQ1wZpVO4h5QPNEWjvK +pFv0JV6nfyZzjdkAboYu+uf+9PB//oS6uiAr0AS5YnweYYl9qxXGw+gFtzEhsavO +iX61bwIapsIApMrqPld1GE7f03vrTjyqYeJC+V5WEVZe1fkZtKFFJiHN1boPwoWt +VRQ4UGlq9eto5pddmMcPl/uR9/TItdMC8AZ7fcRYP9RdYFEp8jS+tx3CDNs0XrlF +qKlroDSdwBt475Ud5irtNwjGoohl3xCHvEne9l+fjlmQFynfRNeOb9rgVIsT3OoO +MFSeW9HBAoGBAOiAjYCWoQHSlbi3Nkd5fsfTd4iZOkeeZi+2PJOhDByH1Hsq87CP +KoYejjYUQ6QvJY2WDJCU8qXxPJkDuI6XZ6QbTDPad2xXDkA4pxuPi/c+Hb/eqLQ+ +24ebIzauC5iLdddp22oQXQOngKwUMihYggKs9cIpem8G99bcMfq1OeaDAoGBAMM6 +Z790eySPDIaKZZ/KVOu4hJe1s5vIJqN9xtV0o55PTR2wFCgwCogiXQchyhF8Qo6q +BEpcKpY1bAivmL8T2PBsLUuKC4LAr8uzW8rVFbG3HfC62RoaVOZWmH+yBABi6eej +Lh8KNhal+HzVOlMsw78FAkhq9aubWBywxfULFyrdAoGAPmnsEn3dIPkf+iMsrgk+ +cHQjHYdMrtclxV8daeAMuUf5UUsZeeck2jYvpPLRqayCXzzNiK6DaOqWgtkN3TFl +wBcX4L+f2XSRPco3id2CDFAfeldSYHiTRBbwYAhe0od1jes73IAiCA4aK5eMU2pX +FFLL8mBiHpX3SDV6MTwfG/MCgYEApgLXUC3LvVXLL+kl65ARUHUSgzNmrNSxTptY +5hCORcNnbxRYv6fCfOrDspngC6hfrJMUnOrs59g7qtMvD2TgN+m1RqP3j9Msagp1 +xvAVx45QbnFkxdaYVVpTyVpmHrH99xSC1rBHOFEgEX78XtgVCC1JOK2DhM7PSW5k +lzA8Hh0CgYBVXNnQsy4x+9D09zeFP2TKXsk7N154yUP6oxXu6OjZC+cfxHOGyi/g +PVe8ukBIknZkFRz+ZXdfZzXXuJslENOVeFEInqVAu2W55KeCPc/3SU6hB2lj6MBl +WIZ7yrUmtdalU3cPkFnHkQTL2glYAzjB2z22AxyXNzy37ZhtFpovtg== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..33c22b909 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules @@ -0,0 +1,34 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# forward ESP-tunneled traffic +-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT +-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT +-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow esp +-A INPUT -p 50 -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + +# allow IKE +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..6f7f4c4cb --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown vici +} + diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..a5c2cc5fc --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="knl 2" +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e58af9efd --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/redirect-active/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..642811d10 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ecbad665c --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..fa901cbdf --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + leftcert=marsCert.pem + leftid=mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..cf0977489 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBNDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE1MTEyNjA4MjQ1M1oXDTE5MDkwNjA4MjQ1M1owZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxTvcinIErfzu8YZKl+a2MNTVY ++qjG83OkweWjWed/egAugxRjTyWeKjrSNf6DWpXC0pNhzja+Sj0njz4Kq8VczkFB +/yYEkFKpdpFQHXvbQo5h7wn1i3Omhvou5x0rRfddRpLGl7Z/Xg8gnHsZMHHN60hI +qiLZdRSu5QF25WNcy9tO58gz8Hvo5jsk8YDu6eGYolaygQo3cqxx/r8yWzehju0F +oWm4sLOrq+OTegeCQYI8PsOALAwLWgWdGfMPMT0ntq9tD97AcUD0EilvcXVdmwUW +44/hM9BZ0JS7N7Wv6fgIChC7xhZj1yo6vY+FDsmNMhz7vdeulKx2dqRJkn0XAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUvo44 +06FQwLI8P6VqNehTNHa2LNMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCWvHc0v5BhxsLRxPvcOu1bVoeexzA/5nftfRly +PumU2hYFQ8p7soJiT/jYPmnfNvl6halnmS0FrqLdTMNfXj/6WCZ3w4Xnokc5PYW4 +oL1VqdEgR7jyQjifZuzRkuPw+yAFoT+HbMttLdRMVTq9NXlPXtGaJTWbx5Z/gGP3 +1Ry47WhvzJyRSysPh/+9WJFOwS6nf6DFbNuyVtNXQRzXjpsGefZgN9ysntNRFMMZ +V0j+zFIkLBLh2WBkJsuLQM9EFAlZrpQZ7iwHuz7gU0jATxN6Qxnn9AemNPl4k8T3 +igPXeVhDbZFeTc+u/Z7X5i1HXhks2QGz/zGee6no54XOnBWB +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/private/marsKey.pem b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..14f9440ee --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAsU73IpyBK387vGGSpfmtjDU1WPqoxvNzpMHlo1nnf3oALoMU +Y08lnio60jX+g1qVwtKTYc42vko9J48+CqvFXM5BQf8mBJBSqXaRUB1720KOYe8J +9Ytzpob6LucdK0X3XUaSxpe2f14PIJx7GTBxzetISKoi2XUUruUBduVjXMvbTufI +M/B76OY7JPGA7unhmKJWsoEKN3Kscf6/Mls3oY7tBaFpuLCzq6vjk3oHgkGCPD7D +gCwMC1oFnRnzDzE9J7avbQ/ewHFA9BIpb3F1XZsFFuOP4TPQWdCUuze1r+n4CAoQ +u8YWY9cqOr2PhQ7JjTIc+73XrpSsdnakSZJ9FwIDAQABAoIBAQCe+TYMClamMUXV ++YYK2noIJAzY4qVA/DbLmi3S8GDnovNWwKAfCm+oCCUFJPQ1wZpVO4h5QPNEWjvK +pFv0JV6nfyZzjdkAboYu+uf+9PB//oS6uiAr0AS5YnweYYl9qxXGw+gFtzEhsavO +iX61bwIapsIApMrqPld1GE7f03vrTjyqYeJC+V5WEVZe1fkZtKFFJiHN1boPwoWt +VRQ4UGlq9eto5pddmMcPl/uR9/TItdMC8AZ7fcRYP9RdYFEp8jS+tx3CDNs0XrlF +qKlroDSdwBt475Ud5irtNwjGoohl3xCHvEne9l+fjlmQFynfRNeOb9rgVIsT3OoO +MFSeW9HBAoGBAOiAjYCWoQHSlbi3Nkd5fsfTd4iZOkeeZi+2PJOhDByH1Hsq87CP +KoYejjYUQ6QvJY2WDJCU8qXxPJkDuI6XZ6QbTDPad2xXDkA4pxuPi/c+Hb/eqLQ+ +24ebIzauC5iLdddp22oQXQOngKwUMihYggKs9cIpem8G99bcMfq1OeaDAoGBAMM6 +Z790eySPDIaKZZ/KVOu4hJe1s5vIJqN9xtV0o55PTR2wFCgwCogiXQchyhF8Qo6q +BEpcKpY1bAivmL8T2PBsLUuKC4LAr8uzW8rVFbG3HfC62RoaVOZWmH+yBABi6eej +Lh8KNhal+HzVOlMsw78FAkhq9aubWBywxfULFyrdAoGAPmnsEn3dIPkf+iMsrgk+ +cHQjHYdMrtclxV8daeAMuUf5UUsZeeck2jYvpPLRqayCXzzNiK6DaOqWgtkN3TFl +wBcX4L+f2XSRPco3id2CDFAfeldSYHiTRBbwYAhe0od1jes73IAiCA4aK5eMU2pX +FFLL8mBiHpX3SDV6MTwfG/MCgYEApgLXUC3LvVXLL+kl65ARUHUSgzNmrNSxTptY +5hCORcNnbxRYv6fCfOrDspngC6hfrJMUnOrs59g7qtMvD2TgN+m1RqP3j9Msagp1 +xvAVx45QbnFkxdaYVVpTyVpmHrH99xSC1rBHOFEgEX78XtgVCC1JOK2DhM7PSW5k +lzA8Hh0CgYBVXNnQsy4x+9D09zeFP2TKXsk7N154yUP6oxXu6OjZC+cfxHOGyi/g +PVe8ukBIknZkFRz+ZXdfZzXXuJslENOVeFEInqVAu2W55KeCPc/3SU6hB2lj6MBl +WIZ7yrUmtdalU3cPkFnHkQTL2glYAzjB2z22AxyXNzy37ZhtFpovtg== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7c415b1ee --- /dev/null +++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/ikev2/redirect-active/posttest.dat b/testing/tests/ikev2/redirect-active/posttest.dat new file mode 100644 index 000000000..7e436a683 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/posttest.dat @@ -0,0 +1,10 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +alice::ipsec stop +moon::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +alice::ip addr del 192.168.0.5/24 dev eth1 +alice::ifdown eth1 diff --git a/testing/tests/ikev2/redirect-active/pretest.dat b/testing/tests/ikev2/redirect-active/pretest.dat new file mode 100644 index 000000000..3f7ac1dcf --- /dev/null +++ b/testing/tests/ikev2/redirect-active/pretest.dat @@ -0,0 +1,13 @@ +alice::ifup eth1 +alice::ip addr add 192.168.0.5/24 dev eth1 +moon::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +alice::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev2/redirect-active/test.conf b/testing/tests/ikev2/redirect-active/test.conf new file mode 100644 index 000000000..8056d9ce4 --- /dev/null +++ b/testing/tests/ikev2/redirect-active/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="venus carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol dave" diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat index e827687f8..ab5e18da2 100644 --- a/testing/tests/ikev2/rw-dnssec/pretest.dat +++ b/testing/tests/ikev2/rw-dnssec/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start carol::expect-connection home carol::ipsec up home dave::expect-connection home diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat index b62e890c0..27df31fbe 100644 --- a/testing/tests/ikev2/trap-any/evaltest.dat +++ b/testing/tests/ikev2/trap-any/evaltest.dat @@ -1,8 +1,8 @@ -moon::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES -moon::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES -sun::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES -dave::ping -c 2 -W 1 -i 0.2 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES -dave::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +moon::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +moon::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +sun::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +dave::ping -c 2 -W 1 -i 0.4 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES +dave::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat index e455a3650..0cafb4faf 100644 --- a/testing/tests/libipsec/net2net-null/evaltest.dat +++ b/testing/tests/libipsec/net2net-null/evaltest.dat @@ -2,8 +2,8 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES +sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf index 4ecfb0e92..f206a16fb 100644 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=null-sha256-modp2048! - esp=null-sha256-modp2048! + ike=null-sha256-modp3072! + esp=null-sha256-modp3072! mobike=no conn net-net diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf index 95ea20d3c..21b116595 100644 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=null-sha256-modp2048! - esp=null-sha256-modp2048! + ike=null-sha256-modp3072! + esp=null-sha256-modp3072! mobike=no conn net-net diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat index 4d614bf7e..3b6770389 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat @@ -1,11 +1,11 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf index 7a276806e..4628311d4 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=camellia256-sha512-modp2048! - esp=camellia192-sha1! + ike=camellia256-sha512-modp3072! + esp=camellia192-sha384! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf index fb892a041..da1fbf06b 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=camellia256-sha512-modp2048! - esp=camellia192-sha1! + ike=camellia256-sha512-modp3072! + esp=camellia192-sha384! conn rw left=PH_IP_MOON diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat index 69c893f0c..941a2fecf 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat @@ -8,10 +8,10 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES -dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_NULL successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_NULL successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat index 4d614bf7e..3b6770389 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat @@ -1,11 +1,11 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf index 004295437..f0bbfc10f 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=camellia256-sha512-modp2048! - esp=camellia192-sha1! + ike=camellia256-sha512-modp3072! + esp=camellia192-sha384! conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf index 0f6a4f569..8481f8974 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=camellia256-sha512-modp2048! - esp=camellia192-sha1! + ike=camellia256-sha512-modp3072! + esp=camellia192-sha384! conn rw left=PH_IP_MOON diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat index 590b7fe9c..9c6b73ba0 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat +++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat @@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES -carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf index 74668e7fb..c9e9e92e5 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf +++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-aesxcbc-modp2048! - esp=aes128-aesxcbc-modp2048! + ike=aes128-aesxcbc-modp3072! + esp=aes128-aesxcbc-modp3072! conn home left=PH_IP_CAROL diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf index 3cda72935..4e4a9324f 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf +++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf @@ -8,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes128-aesxcbc-modp2048! - esp=aes128-aesxcbc-modp2048! + ike=aes128-aesxcbc-modp3072! + esp=aes128-aesxcbc-modp3072! conn rw left=PH_IP_MOON diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat index 5ff5edbf8..9b8456121 100644 --- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat +++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat @@ -1,25 +1,21 @@ carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES dave:: ip addr list dev eth0::PH_IP_DAVE1::YES dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql index 4a5d34993..d5c4452e2 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql index 85e47522e..a44dc276c 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql @@ -111,7 +111,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql index a584dd8c1..315749b00 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql @@ -135,7 +135,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf index 64e7cc722..2e9e6464d 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql + plugins { sql { database = sqlite:///etc/db.d/ipsec.db } - } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql -} - -libhydra { - plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat index b757d8b15..d7107ccc6 100644 --- a/testing/tests/sql/ip-pool-db-expired/posttest.dat +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -1,6 +1,8 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat index 3e1b762d7..068d72917 100644 --- a/testing/tests/sql/ip-pool-db-expired/pretest.dat +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -11,10 +8,11 @@ moon::ipsec pool --leases 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf index 450100fbe..ae4f83447 100644 --- a/testing/tests/sql/ip-pool-db-expired/test.conf +++ b/testing/tests/sql/ip-pool-db-expired/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat index f70e2d2de..ce7a8f5bf 100644 --- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat +++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat @@ -1,25 +1,21 @@ carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES dave:: ip addr list dev eth0::PH_IP_DAVE1::YES dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql index 4a5d34993..d5c4452e2 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql index a832d0672..6f2d0fc53 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql index 6e33e05d1..399de69e5 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -129,7 +129,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf index 64e7cc722..2e9e6464d 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql + plugins { sql { database = sqlite:///etc/db.d/ipsec.db } - } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql -} - -libhydra { - plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat index b757d8b15..d7107ccc6 100644 --- a/testing/tests/sql/ip-pool-db-restart/posttest.dat +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -1,6 +1,8 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat index 4976693ec..374693e36 100644 --- a/testing/tests/sql/ip-pool-db-restart/pretest.dat +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -11,10 +8,11 @@ moon::ipsec pool --leases 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf index 450100fbe..ae4f83447 100644 --- a/testing/tests/sql/ip-pool-db-restart/test.conf +++ b/testing/tests/sql/ip-pool-db-restart/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat index cfa87ae3f..799692474 100644 --- a/testing/tests/sql/ip-pool-db/evaltest.dat +++ b/testing/tests/sql/ip-pool-db/evaltest.dat @@ -5,9 +5,8 @@ carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES carol::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES @@ -16,21 +15,18 @@ dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES dave:: cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES dave:: ip addr list dev eth0::PH_IP_DAVE1::YES dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave:: ipsec status 2> /dev/null::.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES moon:: ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql index 9ef560af7..ab343f2cc 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf index 4346eca40..310587ee2 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql resolve } diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql index 39f05491a..ca6c5d9f2 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf index 4346eca40..310587ee2 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql resolve } diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql index 837836416..e37653698 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf index 64e7cc722..2e9e6464d 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql + plugins { sql { database = sqlite:///etc/db.d/ipsec.db } - } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql -} - -libhydra { - plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat index 47061432a..d7107ccc6 100644 --- a/testing/tests/sql/ip-pool-db/posttest.dat +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -1,9 +1,8 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::dbdir-remove -carol::dbdir-remove -dave::dbdir-remove diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat index 0cea9d816..4d89bed3e 100644 --- a/testing/tests/sql/ip-pool-db/pretest.dat +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf index 450100fbe..ae4f83447 100644 --- a/testing/tests/sql/ip-pool-db/test.conf +++ b/testing/tests/sql/ip-pool-db/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat index 5f7f5ec3d..b77707035 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat @@ -1,9 +1,7 @@ dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES -dave::ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.1.1/32] remote-ts=\[10.1.0.0/16]::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES @@ -12,7 +10,5 @@ moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .* moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.1.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql index 4a5d34993..d5c4452e2 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql index 529574a62..ddd55026d 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -116,7 +116,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql index 31d9e1c09..032b82bc9 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -129,7 +129,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf index 64e7cc722..2e9e6464d 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql + plugins { sql { database = sqlite:///etc/db.d/ipsec.db } - } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql -} - -libhydra { - plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat index a851d0924..b257564dc 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -1,3 +1,5 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat index 706cb3205..d0c7b9c76 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -9,10 +6,11 @@ carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec pool --leases 2> /dev/null -moon::ipsec start -dave::ipsec start -carol::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf index 450100fbe..ae4f83447 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/test.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/ip-split-pools-db/evaltest.dat b/testing/tests/sql/ip-split-pools-db/evaltest.dat index f186d8927..16ea2287b 100644 --- a/testing/tests/sql/ip-split-pools-db/evaltest.dat +++ b/testing/tests/sql/ip-split-pools-db/evaltest.dat @@ -1,9 +1,8 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.1.1/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES @@ -13,5 +12,5 @@ moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .* moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.1.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql index 4a5d34993..d5c4452e2 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql index a832d0672..6f2d0fc53 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql index 1861e5ffb..991bcba6b 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf index 64e7cc722..2e9e6464d 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -1,16 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql + plugins { sql { database = sqlite:///etc/db.d/ipsec.db } - } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql -} - -libhydra { - plugins { attr-sql { database = sqlite:///etc/db.d/ipsec.db } diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat index a851d0924..b257564dc 100644 --- a/testing/tests/sql/ip-split-pools-db/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -1,3 +1,5 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat index e820c81a2..e1f0c22ae 100644 --- a/testing/tests/sql/ip-split-pools-db/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -8,10 +5,11 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf index 450100fbe..5e41e93f1 100644 --- a/testing/tests/sql/ip-split-pools-db/test.conf +++ b/testing/tests/sql/ip-split-pools-db/test.conf @@ -23,3 +23,6 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat index 72a555d4b..a0eaae1d5 100644 --- a/testing/tests/sql/multi-level-ca/evaltest.dat +++ b/testing/tests/sql/multi-level-ca/evaltest.dat @@ -1,21 +1,17 @@ carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=[192.168.0.100/32 remote-ts=\[10.1.0.0/16]::YES dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql index bd2f3b8ed..b6e9c813e 100644 --- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql @@ -156,7 +156,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql index eae9b598a..ff60dd012 100644 --- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql @@ -159,7 +159,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql index 9d9564b12..64c68e486 100644 --- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql @@ -129,7 +129,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat index 1865a1c60..d7107ccc6 100644 --- a/testing/tests/sql/multi-level-ca/posttest.dat +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat index 0cea9d816..4d89bed3e 100644 --- a/testing/tests/sql/multi-level-ca/pretest.dat +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf index f6fb44f5f..2b2019d3d 100644 --- a/testing/tests/sql/multi-level-ca/test.conf +++ b/testing/tests/sql/multi-level-ca/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat index f003f822f..5180ab31d 100644 --- a/testing/tests/sql/net2net-cert/evaltest.dat +++ b/testing/tests/sql/net2net-cert/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index d49fe4975..31641518d 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'net-net', 'ipsec _updown iptables' + 'net-net', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index 938e50753..47eabf2a8 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'net-net', 'ipsec _updown iptables' + 'net-net', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat index 1f7aa73a1..59badb867 100644 --- a/testing/tests/sql/net2net-cert/posttest.dat +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat index 05fe277ce..6580e7604 100644 --- a/testing/tests/sql/net2net-cert/pretest.dat +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -1,12 +1,11 @@ -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -moon::ipsec up net-net +moon::service charon start 2> /dev/null +sun::service charon start 2> /dev/null +moon::expect-connection net-net +sun::expect-connection net-net +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf index 1b7e280e8..a553c6a7e 100644 --- a/testing/tests/sql/net2net-cert/test.conf +++ b/testing/tests/sql/net2net-cert/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat index f003f822f..5180ab31d 100644 --- a/testing/tests/sql/net2net-psk/evaltest.dat +++ b/testing/tests/sql/net2net-psk/evaltest.dat @@ -1,7 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql index aa6e84c48..42116e245 100644 --- a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql @@ -55,7 +55,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'net-net', 'ipsec _updown iptables' + 'net-net', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql index 7c2865fd8..0942572ae 100644 --- a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql @@ -49,7 +49,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'net-net', 'ipsec _updown iptables' + 'net-net', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat index 1f7aa73a1..59badb867 100644 --- a/testing/tests/sql/net2net-psk/posttest.dat +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat index 05fe277ce..6580e7604 100644 --- a/testing/tests/sql/net2net-psk/pretest.dat +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -1,12 +1,11 @@ -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -moon::ipsec up net-net +moon::service charon start 2> /dev/null +sun::service charon start 2> /dev/null +moon::expect-connection net-net +sun::expect-connection net-net +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf index 1b7e280e8..a553c6a7e 100644 --- a/testing/tests/sql/net2net-psk/test.conf +++ b/testing/tests/sql/net2net-psk/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat index 2c85542e6..87af401b5 100644 --- a/testing/tests/sql/net2net-route-pem/evaltest.dat +++ b/testing/tests/sql/net2net-route-pem/evaltest.dat @@ -1,15 +1,7 @@ -moon:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp/8\] with reqid {1}::YES -moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-1.*INSTALLED. TUNNEL::YES sun:: cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp/8\] with reqid {2}::YES -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/28] remote-ts=\[10.2.0.0/23].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=MODP_3072.*local-ts=\[10.1.0.16/28] remote-ts=\[10.2.0.0/23]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.0/28].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=MODP_3072.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.16/28]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql index e161c6f9f..f0ae8c119 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql @@ -131,19 +131,19 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-1', 'ipsec _updown iptables', 1, 1 + 'net-1', '/usr/local/libexec/ipsec/_updown iptables', 1, 1 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-2', 'ipsec _updown iptables', 1, 1 + 'net-2', '/usr/local/libexec/ipsec/_updown iptables', 1, 1 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-3', 'ipsec _updown iptables', 0, 0 + 'net-3', '/usr/local/libexec/ipsec/_updown iptables', 0, 0 ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql index 27a40ddfa..4268f8e48 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql @@ -131,19 +131,19 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-1', 'ipsec _updown iptables', 1, 1 + 'net-1', '/usr/local/libexec/ipsec/_updown iptables', 1, 1 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-2', 'ipsec _updown iptables', 1, 1 + 'net-2', '/usr/local/libexec/ipsec/_updown iptables', 1, 1 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-3', 'ipsec _updown iptables', 0, 0 + 'net-3', '/usr/local/libexec/ipsec/_updown iptables', 0, 0 ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat index 1f7aa73a1..59badb867 100644 --- a/testing/tests/sql/net2net-route-pem/posttest.dat +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat index cef74e474..576bd6738 100644 --- a/testing/tests/sql/net2net-route-pem/pretest.dat +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -1,13 +1,11 @@ -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start +moon::service charon start 2> /dev/null +sun::service charon start 2> /dev/null moon::expect-connection net-net -alice::ping -c 1 -W 1 PH_IP_BOB -bob::ping -c 1 -W 1 PH_IP_VENUS +alice::ping -c 1 -W 1 10.2.0.10 +bob::ping -c 1 -W 1 10.1.0.20 diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf index ee97968ab..138083669 100644 --- a/testing/tests/sql/net2net-route-pem/test.conf +++ b/testing/tests/sql/net2net-route-pem/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat index 6534adc07..630c17e1a 100644 --- a/testing/tests/sql/net2net-start-pem/evaltest.dat +++ b/testing/tests/sql/net2net-start-pem/evaltest.dat @@ -1,11 +1,5 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES +moon:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[10.2.0.0/23].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.1.0.16/28] remote-ts=\[10.2.0.0/23].*net-3.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.1.2.0/23] remote-ts=\[10.2.2.0/23]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.0/28].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.16/28].*net-3.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.2.2.0/23] remote-ts=\[10.1.2.0/23]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql index d178fe58a..7db84f21d 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql @@ -105,25 +105,25 @@ INSERT INTO private_key_identity ( INSERT INTO proposals ( proposal ) VALUES ( - 'aes128-sha256-modp2048' + 'aes128-sha256-modp3072' ); INSERT INTO proposals ( proposal ) VALUES ( - 'aes192-sha384-modp3072' + 'aes192-sha384-modp8192' ); INSERT INTO proposals ( proposal ) VALUES ( - 'aes128gcm128' + 'aes128gcm16-modp3072' ); INSERT INTO proposals ( proposal ) VALUES ( - 'aes192gcm128' + 'aes192gcm16-modp8192' ); /* Configurations */ @@ -155,19 +155,19 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-1', 'ipsec _updown iptables', 2, 2 + 'net-1', '/usr/local/libexec/ipsec/_updown iptables', 2, 2 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-2', 'ipsec _updown iptables', 2, 2 + 'net-2', '/usr/local/libexec/ipsec/_updown iptables', 2, 2 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-3', 'ipsec _updown iptables', 2, 2 + 'net-3', '/usr/local/libexec/ipsec/_updown iptables', 2, 2 ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql index dd437b9b8..8d9d95d4f 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql @@ -105,25 +105,25 @@ INSERT INTO private_key_identity ( INSERT INTO proposals ( proposal ) VALUES ( - 'aes128-sha256-modp2048' + 'aes128-sha256-modp3072' ); INSERT INTO proposals ( proposal ) VALUES ( - 'aes192-sha384-modp3072' + 'aes192-sha384-modp8192' ); INSERT INTO proposals ( proposal ) VALUES ( - 'aes128gcm128' + 'aes128gcm16-modp3072' ); INSERT INTO proposals ( proposal ) VALUES ( - 'aes192gcm128' + 'aes192gcm16-modp8192' ); /* Configurations */ @@ -155,19 +155,19 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-1', 'ipsec _updown iptables', 0, 0 + 'net-1', '/usr/local/libexec/ipsec/_updown iptables', 0, 0 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-2', 'ipsec _updown iptables', 0, 0 + 'net-2', '/usr/local/libexec/ipsec/_updown iptables', 0, 0 ); INSERT INTO child_configs ( name, updown, start_action, dpd_action ) VALUES ( - 'net-3', 'ipsec _updown iptables', 0, 0 + 'net-3', '/usr/local/libexec/ipsec/_updown iptables', 0, 0 ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat index 1f7aa73a1..59badb867 100644 --- a/testing/tests/sql/net2net-start-pem/posttest.dat +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat index f260b396c..8fc6d1a1c 100644 --- a/testing/tests/sql/net2net-start-pem/pretest.dat +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -1,11 +1,11 @@ -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -sun::ipsec start -moon::ipsec start -moon::sleep 1 +sun::service charon start 2> /dev/null +sun::expect-connection net-net +moon::service charon start 2> /dev/null +moon::sleep 4 + diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf index ee97968ab..138083669 100644 --- a/testing/tests/sql/net2net-start-pem/test.conf +++ b/testing/tests/sql/net2net-start-pem/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon sun" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat index 2342d024b..bddf2fe33 100644 --- a/testing/tests/sql/rw-cert/evaltest.dat +++ b/testing/tests/sql/rw-cert/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql index 90c9a49fa..75c82fddd 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 4946b1520..22e6d1488 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql integrity_test = yes crypto_test { diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql index 70afc34cb..88a326215 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 4946b1520..22e6d1488 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql integrity_test = yes crypto_test { diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql index 27e90dee0..94316472b 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 7fed45bed..212dd3ada 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql integrity_test = yes } diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat index 1865a1c60..d7107ccc6 100644 --- a/testing/tests/sql/rw-cert/posttest.dat +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat index 0cea9d816..4d89bed3e 100644 --- a/testing/tests/sql/rw-cert/pretest.dat +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf index f6fb44f5f..2b2019d3d 100644 --- a/testing/tests/sql/rw-cert/test.conf +++ b/testing/tests/sql/rw-cert/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat index 73173f06b..4f3de0f30 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat @@ -1,12 +1,8 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw-eap-aka.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw-eap-aka.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql index 806a5b219..dfff0849d 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -93,7 +93,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index 2fba94535..25a3b427c 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 } diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql index 6b74f8bdb..02a9dfe3e 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -143,7 +143,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw-eap-aka', 'ipsec _updown iptables' + 'rw-eap-aka', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index b06c611b7..34cc5892b 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 revocation hmac vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 } diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat index 046d4cfdc..2fc2bbb75 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat index a6cbee7a9..d964629a2 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat @@ -1,12 +1,11 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +moon::expect-connection rw-eap-aka carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf index 81b1d3bdb..5bd7b1495 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/test.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat index eaf47395e..80fd718a7 100644 --- a/testing/tests/sql/rw-psk-ipv4/evaltest.dat +++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql index a5ff52d65..4b5b183e5 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql @@ -49,7 +49,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql index ac39472f3..5aa53d6c8 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql @@ -49,7 +49,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql index 231b84cb9..3d2f5d80b 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql @@ -79,7 +79,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat index 1865a1c60..d7107ccc6 100644 --- a/testing/tests/sql/rw-psk-ipv4/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat index 0cea9d816..4d89bed3e 100644 --- a/testing/tests/sql/rw-psk-ipv4/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf index f6fb44f5f..2b2019d3d 100644 --- a/testing/tests/sql/rw-psk-ipv4/test.conf +++ b/testing/tests/sql/rw-psk-ipv4/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat index 344dfa809..63c8b6414 100644 --- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat +++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*10].*\[fec0.*1]::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*20].*\[fec0.*1]::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*1].*\[fec0.*10]::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*1].*\[fec0.*20]::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=4500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES - diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql index 8cbb82d71..031303d2a 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql @@ -49,7 +49,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql index 87055a216..fd91771b1 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql @@ -49,7 +49,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql index 2479bea12..0d94f3474 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql @@ -79,7 +79,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf index e20fecca5..6332df434 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat index 4e59395e3..3f82576b6 100644 --- a/testing/tests/sql/rw-psk-ipv6/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat index 894689648..60a1055a2 100644 --- a/testing/tests/sql/rw-psk-ipv6/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -16,10 +13,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules alice::"ip route add fec0:\:/16 via fec1:\:1" carol::"ip route add fec1:\:/16 via fec0:\:1" dave::"ip route add fec1:\:/16 via fec0:\:1" -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf index 024105ebb..2b2019d3d 100644 --- a/testing/tests/sql/rw-psk-ipv6/test.conf +++ b/testing/tests/sql/rw-psk-ipv6/test.conf @@ -9,7 +9,7 @@ VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c-w-d-ip6.png" +DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat index 1206ea4b7..d3ddd8cf6 100644 --- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat @@ -1,16 +1,12 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql index c6c08a0c8..37e8b09c4 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql @@ -93,7 +93,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql index 3620f201e..724ace333 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql @@ -94,7 +94,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql index a3d480f96..d1349f9c3 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql @@ -168,7 +168,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index 8b25be7aa..f5b531db9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat index 1865a1c60..d7107ccc6 100644 --- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat index 0cea9d816..4d89bed3e 100644 --- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf index f6fb44f5f..2b2019d3d 100644 --- a/testing/tests/sql/rw-psk-rsa-split/test.conf +++ b/testing/tests/sql/rw-psk-rsa-split/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat index 4f5cd724c..8d6c64a94 100644 --- a/testing/tests/sql/rw-rsa-keyid/evaltest.dat +++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*1f:a1:.*:6e:7c.*6a:9c:.*:29:2e::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*ee:7f:.*:8e:0e.*6a:9c:.*:29:2e::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*6a:9c:.*:29:2e.*1f:a1:.*:6e:7c::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*6a:9c:.*:29:2e.*ee:7f:.*:8e:0e::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=1f:a1:.*:6e:7c remote-host=192.168.0.1 remote-port=4500 remote-id=6a:9c:.*:29:2e initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=ee:7f:.*:8e:0e remote-host=192.168.0.1 remote-port=4500 remote-id=6a:9c:.*:29:2e initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=6a:9c:.*:29:2e remote-host=192.168.0.200 remote-port=4500 remote-id=ee:7f:.*:8e:0e.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=6a:9c:.*:29:2e remote-host=192.168.0.100 remote-port=4500 remote-id=1f:a1:.*:6e:7c.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql index 4f181b91b..ebec5c16f 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql @@ -99,7 +99,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf index 75a2b0624..43ece9087 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql index 9a36c2c37..961dd65c0 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql @@ -99,7 +99,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf index 75a2b0624..43ece9087 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql index 9718a75bf..dee634c50 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql @@ -135,7 +135,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf index 75a2b0624..43ece9087 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat index 1865a1c60..d7107ccc6 100644 --- a/testing/tests/sql/rw-rsa-keyid/posttest.dat +++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat index 0cea9d816..4d89bed3e 100644 --- a/testing/tests/sql/rw-rsa-keyid/pretest.dat +++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf index f6fb44f5f..2b2019d3d 100644 --- a/testing/tests/sql/rw-rsa-keyid/test.conf +++ b/testing/tests/sql/rw-rsa-keyid/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/rw-rsa/evaltest.dat b/testing/tests/sql/rw-rsa/evaltest.dat index ba661975b..b28e4c4a9 100644 --- a/testing/tests/sql/rw-rsa/evaltest.dat +++ b/testing/tests/sql/rw-rsa/evaltest.dat @@ -1,13 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql index 8219bdfad..987e4ad78 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -99,7 +99,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf index 75a2b0624..43ece9087 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql index 7c9cd9fe4..fda055a06 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql @@ -98,7 +98,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'home', 'ipsec _updown iptables' + 'home', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf index 75a2b0624..43ece9087 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql index 8a4eb2d21..bc18a87df 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -135,7 +135,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'rw', 'ipsec _updown iptables' + 'rw', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf index 75a2b0624..43ece9087 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat index 1865a1c60..d7107ccc6 100644 --- a/testing/tests/sql/rw-rsa/posttest.dat +++ b/testing/tests/sql/rw-rsa/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat index 0cea9d816..4d89bed3e 100644 --- a/testing/tests/sql/rw-rsa/pretest.dat +++ b/testing/tests/sql/rw-rsa/pretest.dat @@ -1,6 +1,3 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf index f6fb44f5f..2b2019d3d 100644 --- a/testing/tests/sql/rw-rsa/test.conf +++ b/testing/tests/sql/rw-rsa/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="$IPSECHOSTS" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat index 4d36673dc..8b1173776 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat @@ -1,12 +1,15 @@ -alice::ipsec status 2> /dev/null::local-net.*PASS::YES -venus::ipsec status 2> /dev/null::local-net.*PASS::YES -alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES -venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16]::YES +venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES +sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 + local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES +sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES -alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file +alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 50eccad21..000000000 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 76bb21bea..000000000 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf index f4dd8f199..209df5871 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql keep_alive = 5 } diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 50eccad21..000000000 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql index 8489f10a1..abda7caff 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql @@ -117,7 +117,7 @@ INSERT INTO peer_configs ( INSERT INTO child_configs ( name, updown ) VALUES ( - 'nat-t', 'ipsec _updown iptables' + 'nat-t', '/usr/local/libexec/ipsec/_updown iptables' ); INSERT INTO peer_config_child_config ( diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 76bb21bea..000000000 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf index 6210c21cc..4048545d5 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -9,5 +9,5 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql } diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf deleted file mode 100644 index 50eccad21..000000000 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets deleted file mode 100644 index 76bb21bea..000000000 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# secrets are read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf index f4dd8f199..209df5871 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/db.d/ipsec.db } } - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql keep_alive = 5 } diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6b5617317 --- /dev/null +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# configuration is read from SQLite database diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat index e772be6af..b02b19357 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat @@ -1,5 +1,5 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop +alice::service charon stop 2> /dev/null +venus::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null sun::iptables-restore < /etc/iptables.flush -moon::iptables -t nat -F \ No newline at end of file +moon::iptables -t nat -F diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat index c23c09981..8d61e4c87 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat @@ -1,6 +1,3 @@ -alice::rm /etc/ipsec.d/cacerts/* -venus::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql @@ -10,11 +7,11 @@ sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -alice::ipsec start -venus::ipsec start -sun::ipsec start +sun::service charon start 2> /dev/null +alice::service charon start 2> /dev/null +venus::service charon start 2> /dev/null +sun::expect-connection nat-t alice::expect-connection nat-t +alice::swanctl --initiate --child nat-t 2> /dev/null venus::expect-connection nat-t -sun::expect-connection nat-t -alice::ipsec up nat-t -venus::ipsec up nat-t \ No newline at end of file +venus::swanctl --initiate --child nat-t 2> /dev/null diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf index d797acb06..d22f20660 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/test.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="alice venus sun" # Guest instances on which databases are used # DBHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/config-payload/description.txt b/testing/tests/swanctl/config-payload/description.txt new file mode 100755 index 000000000..3e68a7798 --- /dev/null +++ b/testing/tests/swanctl/config-payload/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv2 configuration payload. +moon explicitly assigns a specific virtual IP to each of the two clients. +

    +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnels, carol and dave then ping the client +alice behind the gateway moon. The source IP addresses of the two pings will be the +virtual IPs 10.3.0.1 and 10.3.0.2, respectively. diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat new file mode 100755 index 000000000..7d5584482 --- /dev/null +++ b/testing/tests/swanctl/config-payload/evaltest.dat @@ -0,0 +1,16 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_req=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..7d7e5f9f5 --- /dev/null +++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f1a76db62 --- /dev/null +++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..7d7e5f9f5 --- /dev/null +++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..184185bb3 --- /dev/null +++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..cd161bed0 --- /dev/null +++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + pools = /usr/local/sbin/swanctl --load-pools + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5b4f02142 --- /dev/null +++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw-carol { + include swanctl_base.conf + pools = carol_vip + + remote { + auth = pubkey + id = carol@strongswan.org + } + } + + rw-dave { + include swanctl_base.conf + pools = dave_vip + + remote { + auth = pubkey + id = dave@strongswan.org + } + } + +} + +pools { + + carol_vip { + addrs = 10.3.0.1 + } + + dave_vip { + addrs = 10.3.0.2 + } +} diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100755 index 000000000..08fa7113c --- /dev/null +++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,17 @@ + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 diff --git a/testing/tests/swanctl/config-payload/posttest.dat b/testing/tests/swanctl/config-payload/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/config-payload/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/config-payload/pretest.dat b/testing/tests/swanctl/config-payload/pretest.dat new file mode 100755 index 000000000..9c281d032 --- /dev/null +++ b/testing/tests/swanctl/config-payload/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cat /etc/swanctl/swanctl_base.conf +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw-carol +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/config-payload/test.conf b/testing/tests/swanctl/config-payload/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/config-payload/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/dhcp-dynamic/description.txt b/testing/tests/swanctl/dhcp-dynamic/description.txt new file mode 100644 index 000000000..bef542371 --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +and request a virtual IP via the IKEv2 configuration payload by using the vips=0.0.0.0 +parameter. The dhcp plugin on gateway moon then requests an IP address and DNS server +information from DHCP server venus using the DHCP protocol. The IP addresses are assigned dynamically +by venus from the pool 10.1.0.50..10.1.0.60 so that carol and dave become full members +of the subnet 10.1.0.0/16 hidden behind gateway moon. And this thanks to the farp plugin +through which moon acts as a proxy for ARP requests e.g. from alice who wants to ping +carol and dave. diff --git a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat new file mode 100644 index 000000000..74d6ca86b --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat @@ -0,0 +1,22 @@ +alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_req=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32] +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES +alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES +alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..5b06b251f --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f1a76db62 --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..5b06b251f --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..184185bb3 --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf new file mode 100644 index 000000000..0340d5669 --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf @@ -0,0 +1,9 @@ +subnet 10.1.0.0 netmask 255.255.0.0 { + option routers 10.1.0.1; + option broadcast-address 10.1.255.255; + option domain-name servers PH_IP_WINNETOU PH_IP_VENUS + option netbios-name-servers PH_IP_VENUS; + + # dynamic address pool for visitors + range 10.1.0.30 10.1.0.50; +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..2d9a466b0 --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules @@ -0,0 +1,39 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow bootpc and bootps +-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +-A INPUT -p udp --sport bootps --dport bootps -j ACCEPT + +# allow broadcasts from eth1 +-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..36e4e772a --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + plugins { + dhcp { + server = 10.1.255.255 + } + } +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e19568b4b --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = dhcp + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf new file mode 100644 index 000000000..7a178505f --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf @@ -0,0 +1,14 @@ +# dhcpd configuration file + +ddns-update-style none; + +subnet 10.1.0.0 netmask 255.255.0.0 { + option domain-name "strongswan.org"; + option domain-name-servers PH_IP_VENUS; + option netbios-name-servers PH_IP_ALICE; + option routers PH_IP_MOON1; + option broadcast-address 10.1.255.255; + next-server PH_IP_VENUS; + + range 10.1.0.50 10.1.0.60; +} diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf new file mode 100644 index 000000000..ec8c945a7 --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf @@ -0,0 +1,7 @@ +interface=eth0 +dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255 +dhcp-option=option:router,PH_IP_MOON1 +dhcp-option=option:dns-server,PH_IP_VENUS +dhcp-option=option:netbios-ns,PH_IP_ALICE +dhcp-option=option:domain-name,strongswan.org +log-dhcp diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat new file mode 100644 index 000000000..624a26b4b --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/posttest.dat @@ -0,0 +1,12 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +venus::cat /var/state/dhcp/dhcpd.leases +venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +alice::arp -d 10.1.0.50 +alice::arp -d 10.1.0.51 diff --git a/testing/tests/swanctl/dhcp-dynamic/pretest.dat b/testing/tests/swanctl/dhcp-dynamic/pretest.dat new file mode 100644 index 000000000..6d935b63c --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +venus::cat /etc/dhcp/dhcpd.conf +venus::/etc/init.d/isc-dhcp-server start 2> /dev/null +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/dhcp-dynamic/test.conf b/testing/tests/swanctl/dhcp-dynamic/test.conf new file mode 100644 index 000000000..853093c96 --- /dev/null +++ b/testing/tests/swanctl/dhcp-dynamic/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/frags-ipv4/description.txt b/testing/tests/swanctl/frags-ipv4/description.txt index 51744cf7c..b5b871126 100755 --- a/testing/tests/swanctl/frags-ipv4/description.txt +++ b/testing/tests/swanctl/frags-ipv4/description.txt @@ -1,7 +1,7 @@ -The roadwarriors carol and dave set up a connection each -to gateway moon using the IKEv2 key exchange protocol. The -authentication is based on X.509 certificates. dave advertises -the support of the IKEv2 fragmentation protocol defined in RFC 7383 +The roadwarriors carol and dave set up an IPv4 connection each to +gateway moon using the IKEv1 and IKEv2 key exchange protocol, +respectively. The authentication is based on X.509 certificates. dave +advertises the support of the IKEv2 fragmentation protocol defined in RFC 7383 which prevents the IP fragmentation of the IKEv2 messages carrying large X.509 certificates whereas carol announces support of non-standardized IKEv1 fragmentation. diff --git a/testing/tests/swanctl/frags-ipv4/evaltest.dat b/testing/tests/swanctl/frags-ipv4/evaltest.dat index a4aea93ba..af4c5a0f5 100755 --- a/testing/tests/swanctl/frags-ipv4/evaltest.dat +++ b/testing/tests/swanctl/frags-ipv4/evaltest.dat @@ -7,10 +7,10 @@ dave:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete dave:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES moon:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES moon:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf index 9062e6571..6b01dfc02 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf @@ -17,17 +17,12 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m esp_proposals = aes128-sha256-ecp256 } } - version = 1 fragmentation = yes - reauth_time = 60m - rekey_time = 20m proposals = aes128-sha256-ecp256 } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf index a4abc6ffc..e1d2487e9 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf @@ -17,18 +17,13 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m esp_proposals = aes128-sha256-ecp256 } } - version = 2 mobike = no fragmentation = yes - reauth_time = 60m - rekey_time = 20m proposals = aes128-sha256-ecp256 } } diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf index a19f54254..2d219cdf0 100755 --- a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf @@ -15,17 +15,12 @@ connections { net { local_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m esp_proposals = aes128-sha256-ecp256 } } - mobike = no fragmentation = yes - reauth_time = 60m - rekey_time = 20m proposals = aes128-sha256-ecp256 } } diff --git a/testing/tests/swanctl/frags-ipv4/pretest.dat b/testing/tests/swanctl/frags-ipv4/pretest.dat index 706bd1edd..762c35418 100755 --- a/testing/tests/swanctl/frags-ipv4/pretest.dat +++ b/testing/tests/swanctl/frags-ipv4/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/swanctl/frags-ipv6/evaltest.dat index 4ec34d71d..18814f65e 100755 --- a/testing/tests/swanctl/frags-ipv6/evaltest.dat +++ b/testing/tests/swanctl/frags-ipv6/evaltest.dat @@ -7,10 +7,10 @@ dave:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete dave:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES moon:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES moon:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf index 9e857f69b..71fc4ea29 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf @@ -17,17 +17,12 @@ connections { home { remote_ts = fec1::/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m esp_proposals = aes128-sha256-ecp256 } } - version = 1 fragmentation = yes - reauth_time = 60m - rekey_time = 20m proposals = aes128-sha256-ecp256 } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf index bc5e54198..f4e8a81b5 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf @@ -17,18 +17,13 @@ connections { home { remote_ts = fec1::/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m esp_proposals = aes128-sha256-ecp256 } } - version = 2 mobike = no fragmentation = yes - reauth_time = 60m - rekey_time = 20m proposals = aes128-sha256-ecp256 } } diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf index a59d13790..a6241e9fa 100755 --- a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf @@ -15,17 +15,12 @@ connections { net { local_ts = fec1::/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m esp_proposals = aes128-sha256-ecp256 } } - mobike = no fragmentation = yes - reauth_time = 60m - rekey_time = 20m proposals = aes128-sha256-ecp256 } } diff --git a/testing/tests/swanctl/frags-ipv6/pretest.dat b/testing/tests/swanctl/frags-ipv6/pretest.dat index 868038678..9593ac9f8 100755 --- a/testing/tests/swanctl/frags-ipv6/pretest.dat +++ b/testing/tests/swanctl/frags-ipv6/pretest.dat @@ -10,6 +10,8 @@ dave::"ip route add fec1:\:/16 via fec0:\:1" moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat index f76c35689..4af4f3083 100755 --- a/testing/tests/swanctl/ip-pool-db/evaltest.dat +++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf index 0bb341486..f1a76db62 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf @@ -18,16 +18,11 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf index 24d2f8645..184185bb3 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf @@ -18,16 +18,11 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf index d05dea005..3975512d4 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf @@ -16,16 +16,11 @@ connections { net { local_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat index 91380e6f9..955a3c9be 100755 --- a/testing/tests/swanctl/ip-pool-db/pretest.dat +++ b/testing/tests/swanctl/ip-pool-db/pretest.dat @@ -7,9 +7,11 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::service charon start 2> /dev/null +moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat index a0891c358..5ba0002b0 100755 --- a/testing/tests/swanctl/ip-pool/evaltest.dat +++ b/testing/tests/swanctl/ip-pool/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf index 0bb341486..f1a76db62 100755 --- a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf @@ -18,16 +18,11 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf index 24d2f8645..184185bb3 100755 --- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf @@ -18,16 +18,11 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf index aa31d0f26..8d4dd6bdd 100755 --- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf @@ -16,17 +16,12 @@ connections { net { local_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/swanctl/ip-pool/pretest.dat index 706bd1edd..762c35418 100755 --- a/testing/tests/swanctl/ip-pool/pretest.dat +++ b/testing/tests/swanctl/ip-pool/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt new file mode 100644 index 000000000..3641d09ff --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt @@ -0,0 +1,17 @@ +The roadwarrior carol sets up a connection to gateway moon +using multiple authentication exchanges (RFC 4739). In a first round +both carol and moon authenticate themselves by sending +an IKEv2 RSA signature accompanied by a certificate. +

    +In a second round carol then uses the Extensible Authentication Protocol +in association with a GSM Subscriber Identity Module (EAP-SIM) to +authenticate herself against the remote RADIUS server alice. +In this scenario, triplets from the file /etc/ipsec.d/triplets.dat +are used instead of a physical SIM card on the client carol. +The gateway forwards all EAP messages to the RADIUS server alice +which also uses a static triplets file. +

    +The roadwarrior dave also uses multiple authentication and succeeds +in the first round but sends wrong EAP-SIM triplets in the second round. +As a consequence the radius server alice returns an Access-Reject +message and the gateway moon sends back an EAP_FAILURE. diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat new file mode 100644 index 000000000..50128d519 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -0,0 +1,20 @@ +moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES +dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES +moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files new file mode 100644 index 000000000..10c26aa15 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files @@ -0,0 +1,3 @@ +sim_files { + simtriplets = "/etc/freeradius/triplets.dat" +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..91425f812 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,61 @@ +authorize { + preprocess + chap + mschap + sim_files + suffix + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat new file mode 100644 index 000000000..aaabab89e --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat @@ -0,0 +1,6 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB +228060123456002,33000000000000000000000000000000,33112233,335566778899AABB +228060123456002,34000000000000000000000000000000,34112233,345566778899AABB +228060123456002,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..c167ba940 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bccbe5a51 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..944e78ee3 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + local-eap { + auth = eap + id = 228060123456001@strongswan.org + eap_id = 228060123456001 + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..b8b86c875 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456002,33000000000000000000000000000000,33112244,335566778899AABB +228060123456002,34000000000000000000000000000000,34112244,345566778899AABB +228060123456002,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bccbe5a51 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bca5ad39a --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + local-eap { + auth = eap + id=228060123456002@strongswan.org + eap_id=228060123456002 + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7f90207b2 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..396eff5af --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = *@strongswan.org + } + remote-eap { + auth = eap-radius + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat new file mode 100644 index 000000000..25354d363 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat @@ -0,0 +1,4 @@ +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +alice::killall radiusd diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat new file mode 100644 index 000000000..a6909c89f --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat @@ -0,0 +1,15 @@ +alice::cat /etc/freeradius/clients.conf +alice::cat /etc/freeradius/eap.conf +alice::cat /etc/freeradius/proxy.conf +alice::cat /etc/freeradius/triplets.dat +carol::cat /etc/ipsec.d/triplets.dat +dave::cat /etc/ipsec.d/triplets.dat +alice::radiusd +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf new file mode 100644 index 000000000..678115012 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf @@ -0,0 +1,30 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 + diff --git a/testing/tests/swanctl/multi-level-ca/evaltest.dat b/testing/tests/swanctl/multi-level-ca/evaltest.dat index 619f44b08..050a35db3 100644 --- a/testing/tests/swanctl/multi-level-ca/evaltest.dat +++ b/testing/tests/swanctl/multi-level-ca/evaltest.dat @@ -4,16 +4,16 @@ moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES -moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO -moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon:: cat /var/log/daemon.log::selected peer config.*research.*inacceptable::YES moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO -moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES -moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf index 89fccff92..e6c90c063 100755 --- a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf @@ -24,7 +24,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf index 0a87ed3b8..5ca7bb541 100755 --- a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf @@ -24,7 +24,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf index 496c5fdfa..574887d7e 100755 --- a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf @@ -19,7 +19,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } @@ -43,7 +42,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } diff --git a/testing/tests/swanctl/multi-level-ca/pretest.dat b/testing/tests/swanctl/multi-level-ca/pretest.dat index 61ac75d84..4c1be2e14 100644 --- a/testing/tests/swanctl/multi-level-ca/pretest.dat +++ b/testing/tests/swanctl/multi-level-ca/pretest.dat @@ -1,8 +1,10 @@ moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection research +carol::expect-connection alice carol::swanctl --initiate --child alice 2> /dev/null carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection alice dave::swanctl --initiate --child alice 2> /dev/null dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/net2net-cert/evaltest.dat b/testing/tests/swanctl/net2net-cert/evaltest.dat index cdbecd553..48a8857f4 100755 --- a/testing/tests/swanctl/net2net-cert/evaltest.dat +++ b/testing/tests/swanctl/net2net-cert/evaltest.dat @@ -1,5 +1,5 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf index 2f0fd9da1..b1c005b47 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -18,17 +18,12 @@ connections { local_ts = 10.1.0.0/16 remote_ts = 10.2.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 mobike = no - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf index e4c855621..c3512132f 100755 --- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -18,17 +18,12 @@ connections { local_ts = 10.2.0.0/16 remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 mobike = no - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/swanctl/net2net-cert/pretest.dat index 81410ffc2..b128bef44 100755 --- a/testing/tests/swanctl/net2net-cert/pretest.dat +++ b/testing/tests/swanctl/net2net-cert/pretest.dat @@ -2,5 +2,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::service charon start 2> /dev/null sun::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection gw-gw +sun::expect-connection gw-gw moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-pubkey/description.txt b/testing/tests/swanctl/net2net-pubkey/description.txt new file mode 100644 index 000000000..1cb90f13f --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on raw RSA keys loaded in PKCS#1 format. +

    +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/swanctl/net2net-pubkey/evaltest.dat b/testing/tests/swanctl/net2net-pubkey/evaltest.dat new file mode 100644 index 000000000..849117652 --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..531e286ce --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/sunPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/sunPub.pem new file mode 100644 index 000000000..5254ed164 --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/sunPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyIgBH1KWzMMmEYS1Gr1 +4IUBg120vdsLuNwQuzu22qIHnWIBSB2L0lkLOBY0AYd3wi9ENXnb0MOJTFfE5YJ1 +gpSZCnS3m9HqgTmmYeZ3mVxSC4TJWu2oVKvosxSo5fAVvjVVQ089HtjIsx2BR/0q +LQ9lZ2dUtUSn9kohjU5qpktOfJ9XuTQj9dBfa5bpQMJoLUBAGWPMR+sPaBRwb34U +ulvmoOyIZTKGEsH6czUY0+dm8iUKmkP7S3fEQjzv56Dk3zrJcFy7ij87uu9Wk/Xs +auHAq5jHREcMFJwEOj9ZE0Q6ufz9D2NBSWvLTr7QKFVhj5HfbyUcAGRqgf+sHrkl +IQIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..08bc9380b --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + pubkeys = moonPub.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + pubkeys = sunPub.pem + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..531e286ce --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem new file mode 100644 index 000000000..5254ed164 --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyIgBH1KWzMMmEYS1Gr1 +4IUBg120vdsLuNwQuzu22qIHnWIBSB2L0lkLOBY0AYd3wi9ENXnb0MOJTFfE5YJ1 +gpSZCnS3m9HqgTmmYeZ3mVxSC4TJWu2oVKvosxSo5fAVvjVVQ089HtjIsx2BR/0q +LQ9lZ2dUtUSn9kohjU5qpktOfJ9XuTQj9dBfa5bpQMJoLUBAGWPMR+sPaBRwb34U +ulvmoOyIZTKGEsH6czUY0+dm8iUKmkP7S3fEQjzv56Dk3zrJcFy7ij87uu9Wk/Xs +auHAq5jHREcMFJwEOj9ZE0Q6ufz9D2NBSWvLTr7QKFVhj5HfbyUcAGRqgf+sHrkl +IQIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e61450928 --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = sunPub.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + pubkeys = moonPub.pem + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/net2net-pubkey/posttest.dat b/testing/tests/swanctl/net2net-pubkey/posttest.dat new file mode 100644 index 000000000..c2227a5dd --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/swanctl/pubkey/* +sun::rm /etc/swanctl/pubkey/* diff --git a/testing/tests/swanctl/net2net-pubkey/pretest.dat b/testing/tests/swanctl/net2net-pubkey/pretest.dat new file mode 100644 index 000000000..11e7d5092 --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/pretest.dat @@ -0,0 +1,8 @@ +sun::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules +sun::cd /etc/swanctl; rm x509/* x509ca/* +moon::cd /etc/swanctl; rm x509/* x509ca/* +sun::service charon start 2> /dev/null +moon::service charon start 2> /dev/null +moon::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-pubkey/test.conf b/testing/tests/swanctl/net2net-pubkey/test.conf new file mode 100644 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/swanctl/net2net-pubkey/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-route/evaltest.dat b/testing/tests/swanctl/net2net-route/evaltest.dat index 04df90bea..ae292c165 100755 --- a/testing/tests/swanctl/net2net-route/evaltest.dat +++ b/testing/tests/swanctl/net2net-route/evaltest.dat @@ -1,7 +1,7 @@ moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf index 1dfcfd179..3de6edcb6 100755 --- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf @@ -20,15 +20,11 @@ connections { start_action = trap updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 mobike = no - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf index e4c855621..5a9cd1308 100755 --- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf @@ -20,15 +20,11 @@ connections { start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 mobike = no - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat index 065d38d76..459879bbc 100755 --- a/testing/tests/swanctl/net2net-route/pretest.dat +++ b/testing/tests/swanctl/net2net-route/pretest.dat @@ -2,5 +2,6 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules sun::service charon start 2> /dev/null moon::service charon start 2> /dev/null -moon::sleep 1 -alice::ping -c 3 10.2.0.10 +sun::expect-connection gw-gw +moon::expect-connection gw-gw +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/swanctl/net2net-start/evaltest.dat b/testing/tests/swanctl/net2net-start/evaltest.dat index cdbecd553..48a8857f4 100755 --- a/testing/tests/swanctl/net2net-start/evaltest.dat +++ b/testing/tests/swanctl/net2net-start/evaltest.dat @@ -1,5 +1,5 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf index 6770f6ab7..0713e7d25 100755 --- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf @@ -20,15 +20,11 @@ connections { start_action = start updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 mobike = no - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf index e4c855621..5a9cd1308 100755 --- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf @@ -20,15 +20,11 @@ connections { start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 mobike = no - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/swanctl/net2net-start/pretest.dat index e4198365f..6c1783b74 100755 --- a/testing/tests/swanctl/net2net-start/pretest.dat +++ b/testing/tests/swanctl/net2net-start/pretest.dat @@ -2,4 +2,4 @@ sun::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules sun::service charon start 2> /dev/null moon::service charon start 2> /dev/null -moon::sleep 1 +moon::sleep 0.5 diff --git a/testing/tests/swanctl/ocsp-multi-level/evaltest.dat b/testing/tests/swanctl/ocsp-multi-level/evaltest.dat index 48776c47c..2f3c34622 100644 --- a/testing/tests/swanctl/ocsp-multi-level/evaltest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/evaltest.dat @@ -1,8 +1,8 @@ -moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.research.strongswan.org::YES -moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.sales.strongswan.org::YES -moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES -carol::swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES -dave:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES +moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.research.strongswan.org::YES +moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.sales.strongswan.org::YES +moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES +carol::swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES +dave:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES @@ -11,16 +11,16 @@ dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongsw moon:: cat /var/log/daemon.log::certificate status is good::YES carol::cat /var/log/daemon.log::certificate status is good::YES dave:: cat /var/log/daemon.log::certificate status is good::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES -moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO -moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon:: cat /var/log/daemon.log::selected peer config.*research.*inacceptable::YES moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO -moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES -moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf index 26c3a898e..7867fde45 100755 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf @@ -24,7 +24,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf index 8752e9bc8..0c305210e 100755 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf @@ -24,7 +24,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf index 2cb05013d..c5beb2cde 100755 --- a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf @@ -19,7 +19,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } @@ -43,7 +42,6 @@ connections { esp_proposals = aes128-sha256-ecp256 } } - version = 2 proposals = aes128-sha256-ecp256 } diff --git a/testing/tests/swanctl/ocsp-multi-level/pretest.dat b/testing/tests/swanctl/ocsp-multi-level/pretest.dat index 61ac75d84..7b83e219d 100644 --- a/testing/tests/swanctl/ocsp-multi-level/pretest.dat +++ b/testing/tests/swanctl/ocsp-multi-level/pretest.dat @@ -1,8 +1,10 @@ moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection research +carol::expect-connection home carol::swanctl --initiate --child alice 2> /dev/null carol::swanctl --initiate --child venus 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child alice 2> /dev/null dave::swanctl --initiate --child venus 2> /dev/null diff --git a/testing/tests/swanctl/protoport-dual/description.txt b/testing/tests/swanctl/protoport-dual/description.txt new file mode 100644 index 000000000..35c5b3967 --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/description.txt @@ -0,0 +1,7 @@ +Using [<protocol>/<port>] selectors in the +local_ts and remote_ts child parameters, two IPsec tunnels +between the roadwarrior carol and the gateway moon are defined. +The first CHILD_SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. The established tunnels are tested +by carol by first pinging alice behind moon and +then setting up an SSH session to the same client. diff --git a/testing/tests/swanctl/protoport-dual/evaltest.dat b/testing/tests/swanctl/protoport-dual/evaltest.dat new file mode 100644 index 000000000..a471d1db0 --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/evaltest.dat @@ -0,0 +1,7 @@ +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cf4d0cf1 --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c33f05cba --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + icmp { + local_ts = dynamic[icmp] + remote_ts = 10.1.0.0/16[icmp] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + ssh { + local_ts = dynamic[tcp] + remote_ts = 10.1.0.0/16[tcp/ssh] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1065d9ab0 --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..71d709958 --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + icmp { + local_ts = 10.1.0.0/16[icmp] + remote_ts = dynamic[icmp] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + ssh { + local_ts = 10.1.0.0/16[tcp/ssh] + remote_ts = dynamic[tcp] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/protoport-dual/posttest.dat b/testing/tests/swanctl/protoport-dual/posttest.dat new file mode 100644 index 000000000..2fc2bbb75 --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-dual/pretest.dat b/testing/tests/swanctl/protoport-dual/pretest.dat new file mode 100644 index 000000000..0e8e43390 --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +carol::expect-connection icmp +carol::expect-connection ssh +carol::swanctl --initiate --child icmp 2> /dev/null +carol::swanctl --initiate --child ssh 2> /dev/null diff --git a/testing/tests/swanctl/protoport-dual/test.conf b/testing/tests/swanctl/protoport-dual/test.conf new file mode 100644 index 000000000..307c7e9cc --- /dev/null +++ b/testing/tests/swanctl/protoport-dual/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/protoport-range/description.txt b/testing/tests/swanctl/protoport-range/description.txt new file mode 100644 index 000000000..b24382204 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/description.txt @@ -0,0 +1,7 @@ +Using [<protocol>/<port>] selectors in the +local_ts and remote_ts child parameters, three IPsec tunnels +between the roadwarrior carol and the gateway moon are defined. +The first CHILD_SA is restricted to ICMP request packets, the second +covers ICMP reply pachets and the third TCP-based FTP and SSH connections. +The established tunnels are tested by carol by first pinging alice +behind moon and then setting up an SSH session to the same client. diff --git a/testing/tests/swanctl/protoport-range/evaltest.dat b/testing/tests/swanctl/protoport-range/evaltest.dat new file mode 100644 index 000000000..89caa9bd1 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/evaltest.dat @@ -0,0 +1,7 @@ +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/8]] remote-ts=\[10.1.0.0/16\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/0]] remote-ts=\[10.1.0.0/16\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32\[tcp/32768-65535]] remote-ts=\[10.1.0.0/16\[tcp/21-22]::YES +moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/8]] remote-ts=\[192.168.0.100/32\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/0]] remote-ts=\[192.168.0.100/32\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16\[tcp/21-22]] remote-ts=\[192.168.0.100/32\[tcp/32768-65535]]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cf4d0cf1 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..441417274 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,42 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + icmp-req { + local_ts = dynamic[icmp/2048] + remote_ts = 10.1.0.0/16[icmp/2048] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + icmp-rep { + local_ts = dynamic[icmp/0] + remote_ts = 10.1.0.0/16[icmp/0] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + ftp-ssh { + local_ts = dynamic[tcp/32768-65535] + remote_ts = 10.1.0.0/16[tcp/21-22] + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1065d9ab0 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c5a2a7150 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,43 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + icmp-req { + local_ts = 10.1.0.0/16[icmp/2048] + remote_ts = dynamic[icmp/2048] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + icmp-rep { + local_ts = 10.1.0.0/16[icmp/0] + remote_ts = dynamic[icmp/0] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + ftp-ssh { + local_ts = 10.1.0.0/16[tcp/21-22] + remote_ts = dynamic[tcp/32768-65535] + + hostaccess = yes + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/protoport-range/posttest.dat b/testing/tests/swanctl/protoport-range/posttest.dat new file mode 100644 index 000000000..2fc2bbb75 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/protoport-range/pretest.dat b/testing/tests/swanctl/protoport-range/pretest.dat new file mode 100644 index 000000000..7e864f514 --- /dev/null +++ b/testing/tests/swanctl/protoport-range/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +carol::expect-connection icmp-req +carol::expect-connection icmp-rep +carol::expect-connection ftp-ssh +carol::swanctl --initiate --child icmp-req 2> /dev/null +carol::swanctl --initiate --child icmp-rep 2> /dev/null +carol::swanctl --initiate --child ftp-ssh 2> /dev/null diff --git a/testing/tests/swanctl/protoport-range/test.conf b/testing/tests/swanctl/protoport-range/test.conf new file mode 100644 index 000000000..307c7e9cc --- /dev/null +++ b/testing/tests/swanctl/protoport-range/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-cert/evaltest.dat b/testing/tests/swanctl/rw-cert/evaltest.dat index ee3fb76b4..09bc82bf1 100755 --- a/testing/tests/swanctl/rw-cert/evaltest.dat +++ b/testing/tests/swanctl/rw-cert/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..1454ec54c --- /dev/null +++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F + +1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b +/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ +/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o +Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ +f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 +LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv +06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC +e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr +3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC +sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily +c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy +UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h +XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T +iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO +Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO +v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO +t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H +8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA +jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p +p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS +7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk +GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ +4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 +yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd ++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf index 0ba243300..6cdc7bdf5 100755 --- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -17,16 +17,19 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" } } diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf index a3420a479..e65ec7a18 100755 --- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -17,16 +17,11 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf index 861d65ab6..a3c51c889 100755 --- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -15,16 +15,11 @@ connections { net { local_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/swanctl/rw-cert/pretest.dat index 706bd1edd..762c35418 100755 --- a/testing/tests/swanctl/rw-cert/pretest.dat +++ b/testing/tests/swanctl/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-dnssec/description.txt b/testing/tests/swanctl/rw-dnssec/description.txt new file mode 100644 index 000000000..0135f078c --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The authentication is based on trustworthy public keys stored as IPSECKEY +resource records in the Domain Name System (DNS) and protected by DNSSEC. +

    +Both carol and dave request a virtual IP via the IKEv2 configuration payload +by using the leftsourceip=%config parameter. leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, carol and dave then ping the client alice behind the gateway +moon. The source IP addresses of the two pings will be the virtual IPs carol1 +and dave1, respectively. diff --git a/testing/tests/swanctl/rw-dnssec/evaltest.dat b/testing/tests/swanctl/rw-dnssec/evaltest.dat new file mode 100644 index 000000000..679233471 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/evaltest.dat @@ -0,0 +1,20 @@ +carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7913dafc1 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -0,0 +1,19 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + plugins { + ipseckey { + enable = yes + } + unbound { + trust_anchors = /etc/swanctl/dnssec.keys + } + } +} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.der b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.der new file mode 100644 index 000000000..0c1140d3e Binary files /dev/null and b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.der differ diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2d14b32c5 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + id = carol.strongswan.org + pubkeys = carolPub.der + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..7913dafc1 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -0,0 +1,19 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + plugins { + ipseckey { + enable = yes + } + unbound { + trust_anchors = /etc/swanctl/dnssec.keys + } + } +} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.der b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.der new file mode 100644 index 000000000..fc36c6567 Binary files /dev/null and b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.der differ diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ba511a496 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + id = dave.strongswan.org + pubkeys = davePub.der + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9eafa0ded --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey gmp hmac vici kernel-netlink socket-default updown attr + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + pools = /usr/local/sbin/swanctl --load-pools + conns = /usr/local/sbin/swanctl --load-conns + } + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS + + plugins { + ipseckey { + enable = yes + } + unbound { + trust_anchors = /etc/swanctl/dnssec.keys + } + } +} diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/pubkey/moonPub.der b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/pubkey/moonPub.der new file mode 100644 index 000000000..672473596 Binary files /dev/null and b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/pubkey/moonPub.der differ diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..33c417063 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + id = moon.strongswan.org + pubkeys = moonPub.der + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/swanctl/rw-dnssec/posttest.dat b/testing/tests/swanctl/rw-dnssec/posttest.dat new file mode 100644 index 000000000..48a4abe78 --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/posttest.dat @@ -0,0 +1,11 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::rm /etc/swanctl/pubkey/* +carol::rm /etc/swanctl/pubkey/* +dave::rm /etc/swanctl/pubkey/* +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-dnssec/pretest.dat b/testing/tests/swanctl/rw-dnssec/pretest.dat new file mode 100644 index 000000000..5faf602fc --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm x509/* x509ca/* +carol::cd /etc/swanctl; rm x509/* x509ca/* +dave::cd /etc/swanctl; rm x509/* x509ca/* +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-dnssec/test.conf b/testing/tests/swanctl/rw-dnssec/test.conf new file mode 100644 index 000000000..a542d037e --- /dev/null +++ b/testing/tests/swanctl/rw-dnssec/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat index 5242db17c..5286ffeb3 100755 --- a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat @@ -2,10 +2,10 @@ carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf index 7b0b2adba..401b9fa49 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf @@ -17,17 +17,12 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf index b4d82096a..b1e734def 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf @@ -17,17 +17,12 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf index 258d9e87c..f8931756d 100755 --- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf @@ -15,17 +15,12 @@ connections { net { local_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-hash-and-url/pretest.dat b/testing/tests/swanctl/rw-hash-and-url/pretest.dat index 706bd1edd..762c35418 100755 --- a/testing/tests/swanctl/rw-hash-and-url/pretest.dat +++ b/testing/tests/swanctl/rw-hash-and-url/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-ntru-bliss/description.txt b/testing/tests/swanctl/rw-ntru-bliss/description.txt new file mode 100644 index 000000000..82ebd89ad --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/description.txt @@ -0,0 +1,14 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and +192 bit for carol and dave, respectively. Authentication is based on the BLISS +algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for +carol, dave and moon, respectively. +

    +Both carol and dave request a virtual IP via the IKEv2 configuration payload. +The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously +increasing order. +

    +The updown script automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, carol and dave then ping +the client alice behind the gateway moon. The source IP addresses of the two +pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat b/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat new file mode 100644 index 000000000..69149cdb4 --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat @@ -0,0 +1,18 @@ +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a8d3625e --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der new file mode 100644 index 000000000..b2831a8ed Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fbfe57d21 --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.der + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-ntru128 + } + } + version = 2 + proposals = aes128-sha256-ntru128 + fragmentation = yes + } +} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509/carolCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509/carolCert.der new file mode 100644 index 000000000..8a520c0b4 Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509/carolCert.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der new file mode 100644 index 000000000..fdfd39f13 Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1a8d3625e --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der new file mode 100644 index 000000000..0ec528ddf Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ec04538ef --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.der + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + revocation = strict + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192-sha384-ntru192 + } + } + version = 2 + proposals = aes192-sha384-ntru192 + fragmentation = yes + } +} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509/daveCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509/daveCert.der new file mode 100644 index 000000000..75a114339 Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509/daveCert.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der new file mode 100644 index 000000000..fdfd39f13 Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ec18f448c --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + pools = /usr/local/sbin/swanctl --load-pools + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der new file mode 100644 index 000000000..c989f91e5 Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2e1ae8dbc --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = bliss-sha512 + certs = moonCert.der + id = moon.strongswan.org + } + remote { + auth = pubkey + revocation = strict + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128-sha256-ntru128,aes192-sha384-ntru192 + } + } + version = 2 + proposals = aes128-sha256-ntru128,aes192-sha384-ntru192 + fragmentation = yes + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509/moonCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509/moonCert.der new file mode 100644 index 000000000..d0ea364b0 Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509/moonCert.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der new file mode 100644 index 000000000..fdfd39f13 Binary files /dev/null and b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der differ diff --git a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat new file mode 100644 index 000000000..58d5b8675 --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat @@ -0,0 +1,9 @@ +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::cd /etc/swanctl; rm bliss/* x509/moonCert.der x509ca/strongswan_blissCert.der +carol::cd /etc/swanctl; rm bliss/* x509/carolCert.der x509ca/strongswan_blissCert.der +dave::cd /etc/swanctl; rm bliss/* x509/daveCert.der x509ca/strongswan_blissCert.der diff --git a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat new file mode 100644 index 000000000..a550a2f6d --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem +carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem +dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-ntru-bliss/test.conf b/testing/tests/swanctl/rw-ntru-bliss/test.conf new file mode 100644 index 000000000..a542d037e --- /dev/null +++ b/testing/tests/swanctl/rw-ntru-bliss/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat index bb5e08bf4..a184ee997 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf index c113620b3..9bf759ee3 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf @@ -16,17 +16,12 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf index 928fd04c0..1f2beefef 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf @@ -16,17 +16,12 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf index 8cae3e820..7138b5d4a 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf @@ -14,17 +14,12 @@ connections { net { local_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat index d55df408c..519b168ae 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat @@ -7,6 +7,8 @@ dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-ikev1/description.txt b/testing/tests/swanctl/rw-psk-ikev1/description.txt new file mode 100755 index 000000000..73aac6fe6 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/description.txt @@ -0,0 +1,16 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The IKEv1 main mode authentication is based on +pre-shared keys and IPv4 address identities. +On the gateway two connections with differing parameters are defined: +One for peers from the 192.168.0.96/28 subnet and one for peers from +the range 192.168.0.150-192.168.0.200. +

    +On the gateway for different shared keys are defined for the following +hierarchcal peer address ranges: 0.0.0.0/0 0::0/0, +192.168.0.96/28, 192.168.0.150-192.168.0.200 and +192.168.0.200. Client carol uses the first and client dave +the fourth PSK. +

    +Upon the successful establishment of the IPsec tunnels, carol pings the +client alice and dave the client venus lying in two different +subnets behind the gateway moon. diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat new file mode 100755 index 000000000..96d74c877 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat @@ -0,0 +1,14 @@ +dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES +moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES +venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES +alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO +venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32] +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..8c0f03f0a --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + cfg = 1 + ike = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..dcfcd0b4e --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = psk + } + remote { + auth = psk + } + children { + home { + remote_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp2048 + } + } + version = 1 + proposals = aes128-sha256-modp2048 + } +} + +secrets { + + ike-moon { + id = 192.168.0.1 + # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + secret = 0x16964066a10de938bdb2ab7864fe4459cab1 + } +} diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..df1424dde --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + cfg = 1 + ike = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8cd79ea20 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = psk + } + remote { + auth = psk + } + children { + home { + remote_ts = 10.1.0.17-10.1.0.20 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm128-modp3072 + } + } + version = 1 + proposals = aes192-sha384-modp3072 + } +} + +secrets { + + ike-moon { + id = 192.168.0.1 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..5f2190192 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + cfg = 1 + ike = 1 + } + } +} diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..be1bf8afe --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,67 @@ +connections { + + rw-1 { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.96/28 + + local { + auth = psk + } + remote { + auth = psk + } + children { + net-1 { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp2048 + } + } + version = 1 + proposals = aes128-sha256-modp2048 + } + + rw-2 { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.150-192.168.0.200 + + local { + auth = psk + } + remote { + auth = psk + } + children { + net-2 { + local_ts = 10.1.0.17-10.1.0.20 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm128-modp3072 + } + } + version = 1 + proposals = aes192-sha384-modp3072 + } +} + + +secrets { + + ike-any { + id = 0.0.0.0/0 0::0/0 + secret = 0soBAJZLI7Bwwi61Rl113FqD/3 + } + ike-rw-1 { + id = 192.168.0.96/28 + secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + } + ike-rw-2 { + id = 192.168.0.150-192.168.0.200 + secret = 0s8qPdxyhDeGfk1l211cS8urXc + } + ike-dave { + id = 192.168.0.200 + secret = 0sjVzONCF02ncsgiSlmIXeqhGN + } +} diff --git a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat new file mode 100755 index 000000000..3393f516d --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection net-1 +moon::expect-connection net-2 +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-psk-ikev1/test.conf b/testing/tests/swanctl/rw-psk-ikev1/test.conf new file mode 100755 index 000000000..b8048b4a0 --- /dev/null +++ b/testing/tests/swanctl/rw-psk-ikev1/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat index 142e88e61..7acb15a3a 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=192.168.0.100 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=192.168.0.200 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.100 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.200 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf index bd00fc32c..8b3863bb6 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf @@ -16,17 +16,12 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf index b30790b46..83f3c0a7a 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf @@ -16,17 +16,12 @@ connections { home { remote_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf index 098b3c0ab..9b4f7cea2 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf @@ -13,17 +13,12 @@ connections { net { local_ts = 10.1.0.0/16 - start_action = none updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 + esp_proposals = aes128gcm128-modp3072 } } - version = 2 - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 + proposals = aes128-sha256-modp3072 } } diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat index d55df408c..519b168ae 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat @@ -7,6 +7,8 @@ dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/* moon::service charon start 2> /dev/null carol::service charon start 2> /dev/null dave::service charon start 2> /dev/null -moon::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-anon/description.txt b/testing/tests/swanctl/rw-pubkey-anon/description.txt new file mode 100755 index 000000000..4ccc06aaf --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on raw public keys +and IKEv2 key IDs. Gateway moon accepts all peers possessing a +public key a copy of which is stored in the /etc/swanctl/pubkey directory. +

    +Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat b/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat new file mode 100755 index 000000000..f0cd34c86 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat @@ -0,0 +1,10 @@ +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..dc166b588 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pubkey openssl random +} + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/carolPub.pem new file mode 100644 index 000000000..8fdc45a70 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/carolPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F +y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW +I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu +FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP +01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6 +EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS +EQIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..1454ec54c --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F + +1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b +/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ +/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o +Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ +f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 +LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv +06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC +e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr +3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC +sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily +c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy +UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h +XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T +iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO +Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO +v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO +t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H +8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA +jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p +p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS +7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk +GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ +4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 +yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd ++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f1a074fed --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = carolPub.pem + } + remote { + auth = pubkey + pubkeys = moonPub.pem + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..dc166b588 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pubkey openssl random +} + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/davePub.pem new file mode 100644 index 000000000..154ac5034 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/davePub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC +Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd +1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX +CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw +ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY +IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W +QwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4383ab850 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = davePub.pem + } + remote { + auth = pubkey + pubkeys = moonPub.pem + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..720e903c9 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/carolPub.pem new file mode 100644 index 000000000..8fdc45a70 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/carolPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F +y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW +I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu +FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP +01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6 +EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS +EQIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/davePub.pem new file mode 100644 index 000000000..154ac5034 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/davePub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC +Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd +1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX +CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw +ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY +IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W +QwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/sunPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/sunPub.pem new file mode 100644 index 000000000..5254ed164 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/sunPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyIgBH1KWzMMmEYS1Gr1 +4IUBg120vdsLuNwQuzu22qIHnWIBSB2L0lkLOBY0AYd3wi9ENXnb0MOJTFfE5YJ1 +gpSZCnS3m9HqgTmmYeZ3mVxSC4TJWu2oVKvosxSo5fAVvjVVQ089HtjIsx2BR/0q +LQ9lZ2dUtUSn9kohjU5qpktOfJ9XuTQj9dBfa5bpQMJoLUBAGWPMR+sPaBRwb34U +ulvmoOyIZTKGEsH6czUY0+dm8iUKmkP7S3fEQjzv56Dk3zrJcFy7ij87uu9Wk/Xs +auHAq5jHREcMFJwEOj9ZE0Q6ufz9D2NBSWvLTr7QKFVhj5HfbyUcAGRqgf+sHrkl +IQIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a068c7f6c --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,24 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = moonPub.pem + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat new file mode 100755 index 000000000..48a4abe78 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat @@ -0,0 +1,11 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::rm /etc/swanctl/pubkey/* +carol::rm /etc/swanctl/pubkey/* +dave::rm /etc/swanctl/pubkey/* +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat new file mode 100755 index 000000000..5faf602fc --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm x509/* x509ca/* +carol::cd /etc/swanctl; rm x509/* x509ca/* +dave::cd /etc/swanctl; rm x509/* x509ca/* +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-anon/test.conf b/testing/tests/swanctl/rw-pubkey-anon/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-anon/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-pubkey-keyid/description.txt b/testing/tests/swanctl/rw-pubkey-keyid/description.txt new file mode 100755 index 000000000..e813bbe49 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on raw public keys +and IKEv2 key IDs. +

    +Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat b/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat new file mode 100755 index 000000000..70905de4d --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat @@ -0,0 +1,10 @@ +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..dc166b588 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pubkey openssl random +} + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/carolPub.pem new file mode 100644 index 000000000..8fdc45a70 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/carolPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F +y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW +I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu +FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP +01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6 +EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS +EQIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..1454ec54c --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F + +1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b +/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ +/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o +Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+ +f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6 +LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv +06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC +e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr +3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC +sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily +c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy +UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h +XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T +iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO +Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO +v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO +t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H +8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA +jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p +p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS +7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk +GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+ +4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0 +yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd ++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f1a074fed --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = carolPub.pem + } + remote { + auth = pubkey + pubkeys = moonPub.pem + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..dc166b588 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pubkey openssl random +} + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/davePub.pem new file mode 100644 index 000000000..154ac5034 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/davePub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC +Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd +1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX +CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw +ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY +IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W +QwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4383ab850 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = davePub.pem + } + remote { + auth = pubkey + pubkeys = moonPub.pem + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..720e903c9 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/carolPub.pem new file mode 100644 index 000000000..8fdc45a70 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/carolPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F +y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW +I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu +FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP +01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6 +EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS +EQIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/davePub.pem new file mode 100644 index 000000000..154ac5034 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/davePub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC +Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd +1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX +CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw +ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY +IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W +QwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/moonPub.pem new file mode 100644 index 000000000..94fadce57 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/moonPub.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz +pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB +r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x +vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL +0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy +YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47 +nwIDAQAB +-----END PUBLIC KEY----- diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..eac4bc1aa --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,20 @@ +connections { + + rw-carol { + include swanctl_base.conf + + remote { + auth = pubkey + pubkeys = carolPub.pem + } + } + + rw-dave { + include swanctl_base.conf + + remote { + auth = pubkey + pubkeys = davePub.pem + } + } +} diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf new file mode 100755 index 000000000..61e71f873 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf @@ -0,0 +1,16 @@ + local_addrs = 192.168.0.1 + + local { + auth = pubkey + pubkeys = moonPub.pem + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 diff --git a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat new file mode 100755 index 000000000..48a4abe78 --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat @@ -0,0 +1,11 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::rm /etc/swanctl/pubkey/* +carol::rm /etc/swanctl/pubkey/* +dave::rm /etc/swanctl/pubkey/* +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat new file mode 100755 index 000000000..de43d510d --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat @@ -0,0 +1,15 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm x509/* x509ca/* +carol::cd /etc/swanctl; rm x509/* x509ca/* +dave::cd /etc/swanctl; rm x509/* x509ca/* +moon::cat /etc/swanctl/swanctl_base.conf +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw-carol +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-pubkey-keyid/test.conf b/testing/tests/swanctl/rw-pubkey-keyid/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-pubkey-keyid/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/description.txt b/testing/tests/swanctl/shunt-policies-nat-rw/description.txt new file mode 100644 index 000000000..b95669dad --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/description.txt @@ -0,0 +1,7 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. They tunnel all traffic to the gateway. In order to prevent +local traffic within the 10.1.0.0/16 subnet to enter the tunnel, both set up a local-net +shunt policy with mode = pass. +

    +In order to test the tunnel, the NAT-ed hosts alice and venus +ping each other and the client bob behind the gateway sun. diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat new file mode 100644 index 000000000..d89eeb6ee --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat @@ -0,0 +1,14 @@ +alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES +venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES +sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES +sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES +alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES +alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..9622bb089 --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + keep_alive = 5 +} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..373f8a76a --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + nat-t { + remote_addrs = 192.168.0.2 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 0.0.0.0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } + + local-net { + + children { + local-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.1.0.0/16 + + mode = pass + start_action = trap + } + } + } +} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..38794af25 --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + pools = /usr/local/sbin/swanctl --load-pools + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2f21d4a9b --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,32 @@ +connections { + + nat-t { + local_addrs = 192.168.0.2 + pools = rw_pool + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 0.0.0.0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..9622bb089 --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + keep_alive = 5 +} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bb9ca080a --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + nat-t { + remote_addrs = 192.168.0.2 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 0.0.0.0/0 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } + + local-net { + + children { + local-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.1.0.0/16 + + mode = pass + start_action = trap + } + } + } +} diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat new file mode 100644 index 000000000..b02b19357 --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat @@ -0,0 +1,5 @@ +alice::service charon stop 2> /dev/null +venus::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat new file mode 100644 index 000000000..d6bc0709e --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat @@ -0,0 +1,11 @@ +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::service charon start 2> /dev/null +alice::service charon start 2> /dev/null +venus::service charon start 2> /dev/null +sun::expect-connection nat-t +alice::expect-connection nat-t +venus::expect-connection nat-t +alice::swanctl --initiate --child nat-t 2> /dev/null +venus::swanctl --initiate --child nat-t 2> /dev/null diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/test.conf b/testing/tests/swanctl/shunt-policies-nat-rw/test.conf new file mode 100644 index 000000000..34b0ba165 --- /dev/null +++ b/testing/tests/swanctl/shunt-policies-nat-rw/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/xauth-rsa/description.txt b/testing/tests/swanctl/xauth-rsa/description.txt new file mode 100644 index 000000000..9e78e41b7 --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on RSA public key signatures (pubkey) using X.509 certificates +in the first round followed by extended authentication (xauth) of carol and dave +based on user names equal to the IKEv1 identity (carol@strongswan.org and +dave@strongswan.org, respectively) and corresponding XAuth user passwords. +

    +Upon the successful establishment of the IPsec tunnel, automatically inserted iptables-based +firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall, +carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/swanctl/xauth-rsa/evaltest.dat b/testing/tests/swanctl/xauth-rsa/evaltest.dat new file mode 100644 index 000000000..c50c7fb05 --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/evaltest.dat @@ -0,0 +1,12 @@ +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072 established=1.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2976558fc --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2d2639ea1 --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + local-xauth { + auth = xauth + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 1 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + xauth-carol { + id = carol@strongswan.org + secret = "4iChxLT3" + } +} diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2976558fc --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f3758e387 --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,38 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + local-xauth { + auth = xauth + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 1 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + xauth-dave { + id = dave@strongswan.org + secret = "ryftzG4A" + } +} diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..2976558fc --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..27a880297 --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + remote-xauth { + auth = xauth + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 1 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + xauth-carol { + id = carol@strongswan.org + secret = "4iChxLT3" + } + xauth-dave { + id = dave@strongswan.org + secret = "ryftzG4A" + } +} diff --git a/testing/tests/swanctl/xauth-rsa/posttest.dat b/testing/tests/swanctl/xauth-rsa/posttest.dat new file mode 100644 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/xauth-rsa/pretest.dat b/testing/tests/swanctl/xauth-rsa/pretest.dat new file mode 100644 index 000000000..762c35418 --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/xauth-rsa/test.conf b/testing/tests/swanctl/xauth-rsa/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/xauth-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat index 3478c07df..800fa3c4f 100644 --- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon new file mode 100755 index 000000000..bf3a6891a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon @@ -0,0 +1,158 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: charon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: strongSwan charon IKE daemon +# Description: with swanctl the strongSwan charon daemon must be +# running in the background +### END INIT INFO + +# Author: Andreas Steffen +# +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin +DESC="strongSwan charon IKE daemon" +NAME=charon +DAEMON=/usr/local/libexec/ipsec/$NAME +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/charon + +export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf deleted file mode 100644 index caa5bc17a..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf index d891a2c5b..063bb6fc9 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf @@ -1,13 +1,29 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon new file mode 100755 index 000000000..bf3a6891a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon @@ -0,0 +1,158 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: charon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: strongSwan charon IKE daemon +# Description: with swanctl the strongSwan charon daemon must be +# running in the background +### END INIT INFO + +# Author: Andreas Steffen +# +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin +DESC="strongSwan charon IKE daemon" +NAME=charon +DAEMON=/usr/local/libexec/ipsec/$NAME +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/charon + +export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ba149c4ba..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf index d891a2c5b..063bb6fc9 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf @@ -1,13 +1,29 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon new file mode 100755 index 000000000..bf3a6891a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon @@ -0,0 +1,158 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: charon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: strongSwan charon IKE daemon +# Description: with swanctl the strongSwan charon daemon must be +# running in the background +### END INIT INFO + +# Author: Andreas Steffen +# +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin +DESC="strongSwan charon IKE daemon" +NAME=charon +DAEMON=/usr/local/libexec/ipsec/$NAME +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/charon + +export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0fdad8607..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf index 03f5519e2..a3d85b054 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf @@ -1,10 +1,22 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -17,3 +29,7 @@ charon { } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat index d181aab9f..f0f6446bf 100644 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat @@ -6,11 +6,15 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file -moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start moon::expect-connection rw-allow carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf index a8a05af19..61f2312af 100644 --- a/testing/tests/tnc/tnccs-11-fhh/test.conf +++ b/testing/tests/tnc/tnccs-11-fhh/test.conf @@ -23,4 +23,6 @@ IPSECHOSTS="moon carol dave" # Guest instances on which FreeRadius is started # RADIUSHOSTS= - +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat index 3f3aa9f64..ef02166f0 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat @@ -1,14 +1,15 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second index 2d4961288..c5bde6a9e 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second @@ -15,6 +15,19 @@ session { } post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + Post-Auth-Type REJECT { attr_filter.access_reject } diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf index 06c34ed9a..7622801ab 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf @@ -1,12 +1,12 @@ # /etc/strongswan.conf - strongSwan configuration file libimcv { - debug_level = 3 + load = random nonce sha1 sha2 md5 gmp pubkey x509 + debug_level = 3 assessment_result = no plugins { - imv-scanner { - closed_port_policy = no - tcp_ports = 80 443 - } + imv-test { + rounds = 1 + } } } diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e9152e0d8..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf index 927c459db..80c96b677 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..ff58c7c9a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 25589bcf1..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf index 566457da3..691cdbc2d 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 @@ -14,6 +27,9 @@ charon { libimcv { plugins { + imc-test { + command = none + } imc-scanner { push_info = no } diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..5af2098b6 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 98e2525ba..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf index fbf1617bc..71fc7dd0c 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf @@ -1,12 +1,19 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown + multiple_authentication=no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } plugins { eap-radius { secret = gv6URkSs - server = PH_IP_ALICE + server = 10.1.0.10 + filter_id = yes } } } diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..28b32b74c --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + certs = moonCert.pem + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + rw { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat index 5e5a8514d..2989f347c 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat @@ -1,9 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -dave::/etc/init.d/apache2 stop 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat index d2bb94583..baf8c972f 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat @@ -1,14 +1,20 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -dave::/etc/init.d/apache2 start 2> /dev/null alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -moon::ipsec start -carol::ipsec start -dave::ipsec start +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf index 29bfaa78c..8d7f51449 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/test.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/test.conf @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c-w-d.png" +DIAGRAM="a-v-m-c-w-d.png" # Guest instances on which tcpdump is to be started # @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat index 955584ba3..d57b5e73f 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e9152e0d8..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf index 3520fd5c8..978cc6659 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf @@ -1,21 +1,26 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-1.1 + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 } } -} - -libimcv { plugins { - imc-test { - command = allow + eap-tnc { + protocol = tnccs-1.1 } } } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1516ad726 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 25589bcf1..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index e8706082e..0bc6e3525 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -1,26 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no - retransmit_tries = 5 - plugins { - eap-tnc { - protocol = tnccs-1.1 + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 } } -} - -libimcv { plugins { - imc-test { - command = allow - } - imc-scanner { - push_info = no + eap-tnc { + protocol = tnccs-1.1 } } } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..07b35dcb9 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 294964fe7..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf index 6e49677e4..387236ebc 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf @@ -1,12 +1,18 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown + multiple_authentication=no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } plugins { eap-radius { secret = gv6URkSs - server = PH_IP_ALICE + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..096eb7b5a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,53 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + certs = moonCert.pem + } + remote { + auth = eap-radius + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-ecp256 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat index 18e03746b..db806c3c9 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second carol::echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat index 31ee7d1c7..c96e0631f 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -11,12 +11,16 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie alice::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -dave::ipsec start -carol::ipsec start -dave::expect-connection home -dave::ipsec up home +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home alice::ipsec attest --sessions alice::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf index 318dfdfcb..05d40f98d 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf @@ -27,3 +27,7 @@ RADIUSHOSTS="alice" # Guest instances on which databases are used # DBHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat index 955584ba3..0415c3323 100644 --- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf index 45050f7e1..7622801ab 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf @@ -1,6 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file libimcv { + load = random nonce sha1 sha2 md5 gmp pubkey x509 debug_level = 3 assessment_result = no plugins { diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e9152e0d8..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf index 927c459db..80c96b677 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..ff58c7c9a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 25589bcf1..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf index 1422c3cc6..9c6f28fe3 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..5af2098b6 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 294964fe7..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf index 6e49677e4..71fc7dd0c 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf @@ -1,12 +1,18 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown + multiple_authentication=no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } plugins { eap-radius { secret = gv6URkSs - server = PH_IP_ALICE + server = 10.1.0.10 filter_id = yes } } diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..3caad0c66 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,53 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + certs = moonCert.pem + } + remote { + auth = eap-radius + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat index a64a9147c..2989f347c 100644 --- a/testing/tests/tnc/tnccs-11-radius/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat index fcfb1451c..baf8c972f 100644 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -7,10 +7,14 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie alice::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf index f23a19329..8d7f51449 100644 --- a/testing/tests/tnc/tnccs-11-radius/test.conf +++ b/testing/tests/tnc/tnccs-11-radius/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf index 45050f7e1..7622801ab 100644 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf @@ -1,6 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file libimcv { + load = random nonce sha1 sha2 md5 gmp pubkey x509 debug_level = 3 assessment_result = no plugins { diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f24455975..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index ddd495699..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf index 71fbae695..965752b5e 100644 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf @@ -1,6 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file libimcv { + load = random nonce sha1 sha2 md5 gmp pubkey x509 debug_level = 3 plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..00ef0f516 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# The strongSwan IMCs are loaded by the WPA supplicant diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf deleted file mode 100644 index f24455975..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ddd495699..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf index 4ce2769f2..ca1f7d9a5 100644 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf @@ -1,6 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file libimcv { + load = random nonce sha1 sha2 md5 gmp pubkey x509 debug_level = 3 plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..00ef0f516 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# The strongSwan IMCs are loaded by the WPA supplicant diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 294964fe7..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 6e49677e4..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/tnc/tnccs-11-supplicant/test.conf index f23a19329..2069e4aa5 100644 --- a/testing/tests/tnc/tnccs-11-supplicant/test.conf +++ b/testing/tests/tnc/tnccs-11-supplicant/test.conf @@ -13,14 +13,17 @@ DIAGRAM="a-v-m-c-w-d.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon" +TCPDUMPHOSTS= # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol dave" +IPSECHOSTS="carol dave" # Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat index 3478c07df..800fa3c4f 100644 --- a/testing/tests/tnc/tnccs-11/evaltest.dat +++ b/testing/tests/tnc/tnccs-11/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e2bf349d9..000000000 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf index 927c459db..af30c204d 100644 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 @@ -12,6 +25,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 77446cbae..000000000 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf index 1422c3cc6..524536228 100644 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 @@ -12,6 +25,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e21ef0d14..000000000 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf index 2ce6fd3a1..bba631b1f 100644 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -18,6 +31,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imv-test { diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-11/posttest.dat +++ b/testing/tests/tnc/tnccs-11/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat index 85622034d..c8ab14343 100644 --- a/testing/tests/tnc/tnccs-11/pretest.dat +++ b/testing/tests/tnc/tnccs-11/pretest.dat @@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11/test.conf b/testing/tests/tnc/tnccs-11/test.conf index a8a05af19..3a6669966 100644 --- a/testing/tests/tnc/tnccs-11/test.conf +++ b/testing/tests/tnc/tnccs-11/test.conf @@ -24,3 +24,7 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 + diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat index e0f3d9357..b67affbf4 100644 --- a/testing/tests/tnc/tnccs-20-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat @@ -1,12 +1,14 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e2bf349d9..000000000 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf index 201f6c7cb..fac3dc02d 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { tnc-imc { preferred_language = de, en @@ -12,6 +25,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..760fca451 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 77446cbae..000000000 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf index a255b906d..168e4ec64 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { tnc-imc { preferred_language = ru, fr, en @@ -12,6 +25,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-scanner { diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..53450038e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 9aeb02ac2..000000000 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf index ee510f1b5..bb15d3ffa 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -17,12 +30,6 @@ charon { } } -libimcv { - plugins { - imv-scanner { - closed_port_policy = yes - tcp_ports = 22 - udp_ports = 500 4500 - } - } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e396cd06e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + certs = moonCert.pem + } + remote { + auth = eap-ttls + id = *@strongswan.org + } + children { + rw { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat index 2258e03ff..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20-block/posttest.dat +++ b/testing/tests/tnc/tnccs-20-block/posttest.dat @@ -1,7 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -dave::/etc/init.d/apache2 stop 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat index c66a2e1ec..c8ab14343 100644 --- a/testing/tests/tnc/tnccs-20-block/pretest.dat +++ b/testing/tests/tnc/tnccs-20-block/pretest.dat @@ -1,14 +1,17 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -dave::/etc/init.d/apache2 start 2> /dev/null moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-block/test.conf b/testing/tests/tnc/tnccs-20-block/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-20-block/test.conf +++ b/testing/tests/tnc/tnccs-20-block/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat index c69940c4b..1b70ac8ec 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat @@ -1,19 +1,17 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a483d6df8..000000000 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf index ea8e62679..aceddc368 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 11378131a..000000000 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf index 3a93fc30c..7ac1a5d70 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 2 + } + } plugins { tnc-imc { preferred_language = ru , de, en @@ -12,6 +25,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf deleted file mode 100644 index b1093d46d..000000000 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf index 009e2ef13..a0b807755 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 2 + } + } plugins { eap-ttls { phase2_method = md5 @@ -14,6 +27,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imv-test { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat index 85622034d..c8ab14343 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat @@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-client-retry/test.conf b/testing/tests/tnc/tnccs-20-client-retry/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/test.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e2bf349d9..000000000 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf index fcd224651..073355713 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { tnccs-20 { tests { @@ -14,6 +27,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 504408488..000000000 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf index 76f413722..6c1b9917b 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { tnc-imc { preferred_language = ru, pl , de @@ -17,6 +30,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e21ef0d14..000000000 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf index 9c13fcb67..165c5ccb9 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -14,6 +27,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imv-test { diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat index b757d8b15..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat @@ -1,6 +1,6 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat index 85622034d..c8ab14343 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf index 3c8e3996f..513114964 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/test.conf +++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e2bf349d9..000000000 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf index ed6d6f718..56fa7a967 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e21ef0d14..000000000 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf index 626731f58..cb6abf305 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -19,6 +32,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imv-test { diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat index 80ce1a125..9af5f39a2 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat @@ -1,4 +1,4 @@ -carol::ipsec stop -moon::ipsec stop +carol::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat index e5c202947..3dba1d75e 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -2,7 +2,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start +carol::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf index e8430743e..9141c691e 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/test.conf +++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat index c69940c4b..d406b5925 100644 --- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat @@ -1,19 +1,18 @@ -carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon new file mode 100755 index 000000000..bf3a6891a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon @@ -0,0 +1,158 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: charon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: strongSwan charon IKE daemon +# Description: with swanctl the strongSwan charon daemon must be +# running in the background +### END INIT INFO + +# Author: Andreas Steffen +# +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin +DESC="strongSwan charon IKE daemon" +NAME=charon +DAEMON=/usr/local/libexec/ipsec/$NAME +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/charon + +export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a483d6df8..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf index 43af0fca1..c3338d43b 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf @@ -1,7 +1,25 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon new file mode 100755 index 000000000..bf3a6891a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon @@ -0,0 +1,158 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: charon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: strongSwan charon IKE daemon +# Description: with swanctl the strongSwan charon daemon must be +# running in the background +### END INIT INFO + +# Author: Andreas Steffen +# +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin +DESC="strongSwan charon IKE daemon" +NAME=charon +DAEMON=/usr/local/libexec/ipsec/$NAME +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/charon + +export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 11378131a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf index 43af0fca1..89d9e50bd 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf @@ -1,7 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon new file mode 100755 index 000000000..bf3a6891a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon @@ -0,0 +1,158 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: charon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: strongSwan charon IKE daemon +# Description: with swanctl the strongSwan charon daemon must be +# running in the background +### END INIT INFO + +# Author: Andreas Steffen +# +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin +DESC="strongSwan charon IKE daemon" +NAME=charon +DAEMON=/usr/local/libexec/ipsec/$NAME +DAEMON_ARGS="" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/charon + +export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf deleted file mode 100644 index b1093d46d..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf index 9f3874b6c..0cd34865c 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 2 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat index 39b0e03eb..f0f6446bf 100644 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat @@ -6,12 +6,15 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file -moon::cat /etc/tnc/dummyimv.policy -moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start moon::expect-connection rw-allow carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-20-fhh/test.conf +++ b/testing/tests/tnc/tnccs-20-fhh/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat index 1293e9883..90d1922fb 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat @@ -16,4 +16,3 @@ alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*i alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES - diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf deleted file mode 100644 index f2e611952..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imv 3" - -conn aaa - leftcert=aaaCert.pem - leftid=aaa.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem deleted file mode 100644 index 42083c2a9..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX -z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii -95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS -rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6 -fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR -dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig -kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y -Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs -nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/ -TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2 -FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ -GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH -sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73 -xyr/Qw== ------END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem deleted file mode 100644 index adc47dd33..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl -h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l -0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a -VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S -W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD -e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k -nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj -AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/ -/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs -P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF -sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek -uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj -PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5 -hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg -Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+ -Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL -SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU -zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH -xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I -XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF -hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9 -AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO -Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH -yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5 -9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 606e184bd..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA aaaKey.pem diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf index 1ecf6f883..a0db6ae7b 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf @@ -1,8 +1,20 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imv = 3 + } + } plugins { eap-ttls { request_peer_auth = yes diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem new file mode 100644 index 000000000..adc47dd33 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl +h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l +0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a +VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S +W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD +e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k +nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj +AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/ +/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs +P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF +sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek +uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj +PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5 +hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg +Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+ +Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL +SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU +zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH +xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I +XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF +hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9 +AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO +Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH +yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5 +9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem new file mode 100644 index 000000000..42083c2a9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX +z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii +95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS +rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6 +fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR +dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig +kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs +nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/ +TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2 +FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ +GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH +sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73 +xyr/Qw== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2cca42cd7..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf index 2694b75d8..f0a6c4bde 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf @@ -1,8 +1,21 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 3 + } + } plugins { eap-ttls { max_message_count = 0 @@ -17,6 +30,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { os_info { name = strongPrint OS diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..db9d4fad8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 2707b2be9..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftauth=eap - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf index dbc845de9..f5c3440c1 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf @@ -1,8 +1,21 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 3 + } + } plugins { eap-ttls { max_message_count = 0 @@ -17,6 +30,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { os_info { name = strongPrint OS diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989107a2a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + aaa_id = aaa.strongswan.org + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 02ada5665..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightsendcert=never - right=%any - eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf index fc647a079..4dae69352 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf @@ -1,8 +1,13 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..3caad0c66 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,53 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + certs = moonCert.pem + } + remote { + auth = eap-radius + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat index 369cfe86f..bcd655353 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat @@ -1,7 +1,9 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop +alice::service charon stop +alice::rm /etc/swanctl/rsa/aaaKey.pem +alice::rm /etc/swanctl/x509/aaaCert.pem winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat index 0978d1252..db8ce1061 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat @@ -7,11 +7,13 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id -alice::ipsec start -moon::ipsec start -carol::ipsec start -dave::ipsec start +alice::rm /etc/swanctl/rsa/aliceKey.pem +alice::rm /etc/swanctl/x509/aliceCert.pem +alice::service charon start +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/test.conf b/testing/tests/tnc/tnccs-20-hcd-eap/test.conf index c4ca1a19f..14b7fc8bf 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/test.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave alice" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt new file mode 100644 index 000000000..f910cb59f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt @@ -0,0 +1,5 @@ +The hosts moon and sun do mutual TNC measurements over IKEv2-EAP +using the PA-TNC, PB-TNC and PT-EAP protocols. The IKEv2 EAP-TTLS authentication +is based on X.509 certificates. The TNC measurement on moon is successful +and the measurement on sun fails, causing the IPsec connection to be +aborted by moon. diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat new file mode 100644 index 000000000..93303221f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat @@ -0,0 +1,7 @@ +moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +moon::cat /var/log/daemon.log::final recommendation is.*no access::YES +sun:: cat /var/log/daemon.log::final recommendation is.*allow::YES +moon::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::NO +sun::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::NO +moon::ping -c 1 -W 1 192.168.0.2::64 bytes from 192.168.0.2: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a555970ec --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf @@ -0,0 +1,45 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + + multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + imv = 2 + } + } + plugins { + eap-ttls { + phase2_tnc = yes + } + tnccs-20 { + mutual = yes + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..329005907 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + mutual { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = eap-ttls + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = sun.strongswan.org + groups = allow + } + children { + mutual { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + mobike = no + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..b2280db18 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf @@ -0,0 +1,47 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + + multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + imv = 2 + } + } + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc =yes + } + tnccs-20 { + mutual = yes + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + +libimcv { + plugins { + imc-test { + command = none + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6b559aa8c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + mutual { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + groups = allow + } + children { + mutual { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + mobike = no + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat new file mode 100644 index 000000000..4677e46f0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat @@ -0,0 +1,4 @@ +moon::service charon stop +sun::service charon stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat new file mode 100644 index 000000000..0a3563986 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::service charon start +sun::service charon start +moon::expect-connection mutual +moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf new file mode 100644 index 000000000..5c095cefa --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt index 6c79b8c49..6d5c67a03 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt +++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt @@ -1,3 +1,4 @@ The hosts moon and sun do mutual TNC measurements over IKEv2-EAP -using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on -X.509 certificates. +using the PA-TNC, PB-TNC and PT-EAP protocols. The IKEv2 EAP-TTLS authentication +is based on X.509 certificates. The TNC measurements of both moon and +sun are successful and the IPsec connection gets established. diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat index 0ef7b5d7d..28f101cdc 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat @@ -1,11 +1,9 @@ moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES -moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES -sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES -moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +moon::cat /var/log/daemon.log::final recommendation is.*allow::YES +sun:: cat /var/log/daemon.log::final recommendation is.*allow::YES +moon::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +moon::ping -c 1 192.168.0.2::64 bytes from 192.168.0.2: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 47a0283dc..000000000 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 2, imv 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=moon.strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_SUN - rightid=sun.strongswan.org - rightsendcert=never - rightauth=any - auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf index 953e7fcea..1212e2356 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf @@ -1,12 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + imv = 2 + } + } plugins { eap-ttls { - phase2_tnc =yes + phase2_tnc = yes } tnccs-20 { mutual = yes @@ -14,6 +29,10 @@ charon { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..329005907 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + mutual { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = eap-ttls + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = sun.strongswan.org + groups = allow + } + children { + mutual { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + mobike = no + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf deleted file mode 100644 index c20bce930..000000000 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 2, imv 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn host-host - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=sun.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - right=PH_IP_MOON - rightid=moon.strongswan.org - rightauth=eap-ttls - rightsendcert=never - auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf index 570126a0e..f29175d67 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf @@ -1,9 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown - multiple_authentication = no + multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + imv = 2 + } + } plugins { eap-ttls { request_peer_auth = yes @@ -16,6 +31,10 @@ charon { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6b559aa8c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + mutual { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + groups = allow + } + children { + mutual { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + mobike = no + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat index 1f7aa73a1..4677e46f0 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat @@ -1,4 +1,4 @@ -moon::ipsec stop -sun::ipsec stop +moon::service charon stop +sun::service charon stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat index 997a48167..0a3563986 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection host-host -moon::ipsec up host-host +moon::service charon start +sun::service charon start +moon::expect-connection mutual +moon::swanctl --initiate --child mutual diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf index 55d6e9fd6..5c095cefa 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf +++ b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 98c415edb..000000000 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -/* configuration is read from /etc/pts/options */ diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options index 79ae1e866..7eea85def 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options @@ -1,8 +1,8 @@ --connect sun.strongswan.org --client moon.strongswan.org ---key /etc/ipsec.d/private/moonKey.pem ---cert /etc/ipsec.d/certs/moonCert.pem ---cert /etc/ipsec.d/cacerts/strongswanCert.pem +--key /etc/swanctl/rsa/moonKey.pem +--cert /etc/swanctl/x509/moonCert.pem +--cert /etc/swanctl/x509ca/strongswanCert.pem --mutual --quiet --debug 2 diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf index fafdac4aa..a476878ac 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf @@ -1,7 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pt-tls-client { - load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 + load = random nonce x509 openssl pem pkcs1 revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..28da4d427 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# the PT-TLS client reads its configuration and secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf deleted file mode 100644 index ba629a24f..000000000 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 2, imv 2" - -conn pdp - leftcert=sunCert.pem - leftid=sun.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf index 05ffdb178..9e694bc01 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf @@ -1,8 +1,21 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 + load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + imv = 2 + } + } plugins { tnc-pdp { server = sun.strongswan.org @@ -16,6 +29,10 @@ charon { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/swantcl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/swantcl/swanctl.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat index e6ccb14fe..d1f83a319 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat @@ -1 +1 @@ -sun::ipsec stop +sun::service charon stop diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat index 07b17600d..af53e6c9b 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -1,4 +1,4 @@ -sun::ipsec start +sun::service charon start moon::cat /etc/pts/options -sun::expect-connection pdp +moon::sleep 1 moon::ipsec pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf index 55d6e9fd6..5c095cefa 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat index 8c9e59a56..88b55c9f7 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -1,19 +1,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf deleted file mode 100644 index d17473db1..000000000 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf index 0c934295f..d3941d811 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf @@ -1,9 +1,28 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + pts = 3 + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf deleted file mode 100644 index d459bfc6c..000000000 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf index 156a2e4c4..134cd991c 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -1,12 +1,25 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no - retransmit_tries = 5 + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + pts = 3 + } + } plugins { tnc-imc { preferred_language = de @@ -14,6 +27,10 @@ charon { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-os { diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf deleted file mode 100644 index bc8b2d8f9..000000000 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf index c8992bdad..4b024e9a8 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -1,10 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + pts = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -14,6 +28,10 @@ charon { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat index 74b902c69..ce72d2ca9 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat index 345f54816..81537cc62 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -8,12 +8,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -dave::ipsec start -carol::ipsec start -dave::expect-connection home -dave::ipsec up home +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf index 4b1c410ff..005df9a0c 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/test.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 292116309..202b408aa 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -1,19 +1,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: ipsec attest --sessions 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec attest --sessions 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e2bf349d9..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf index 0b8e9235c..ef90078f2 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 77446cbae..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf index 4dcb5c32f..4af05ad31 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { tnc-imc { preferred_language = de @@ -12,6 +25,10 @@ charon { } } +ilibtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-os { diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e21ef0d14..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index 43cf395d9..2fae3ba63 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -14,6 +27,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat index 74b902c69..ce72d2ca9 100644 --- a/testing/tests/tnc/tnccs-20-os/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 3c5cd328e..fa8d089f2 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -9,13 +9,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 -moon::ipsec attest --packages --product 'Debian 7.4 x86_64' +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/nullmoon::ipsec attest --packages --product 'Debian 7.9 x86_64' moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf index f4fd4dc16..005df9a0c 100644 --- a/testing/tests/tnc/tnccs-20-os/test.conf +++ b/testing/tests/tnc/tnccs-20-os/test.conf @@ -22,4 +22,8 @@ IPSECHOSTS="moon carol dave" # Guest instances on which databases are used # -DBHOSTS="moon" \ No newline at end of file +DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat index d373eb39b..2d3027c2c 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -3,14 +3,12 @@ dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on dave:: cat /var/log/daemon.log::collected ... SWID tags::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES carol::cat /var/log/daemon.log::collected 1 SWID tag::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and ... SWID tags::YES alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES @@ -21,8 +19,10 @@ moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP succe moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES -moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200 remote-eap-id=dave.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf deleted file mode 100644 index f2e611952..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imv 3" - -conn aaa - leftcert=aaaCert.pem - leftid=aaa.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem deleted file mode 100644 index 42083c2a9..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX -z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii -95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS -rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6 -fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR -dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig -kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y -Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs -nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/ -TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2 -FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ -GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH -sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73 -xyr/Qw== ------END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem deleted file mode 100644 index adc47dd33..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl -h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l -0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a -VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S -W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD -e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k -nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj -AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/ -/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs -P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF -sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek -uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj -PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5 -hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg -Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+ -Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL -SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU -zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH -xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I -XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF -hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9 -AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO -Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH -yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5 -9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 11d45cd14..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA aaaKey.pem - -carol : EAP "Ar3etTnp" -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index 48d5d70f0..4328b06ea 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -1,8 +1,20 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem new file mode 100644 index 000000000..adc47dd33 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl +h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l +0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a +VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S +W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD +e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k +nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj +AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/ +/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs +P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF +sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek +uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj +PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5 +hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg +Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+ +Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL +SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU +zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH +xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I +XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF +hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9 +AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO +Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH +yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5 +9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..378b73a69 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,11 @@ +secrets { + + eap-carol { + id = carol + secret = "Ar3etTnp" + } + eap-dave { + id = dave + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem new file mode 100644 index 000000000..42083c2a9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX +z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii +95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS +rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6 +fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR +dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig +kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs +nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/ +TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2 +FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ +GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH +sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73 +xyr/Qw== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6e6430e4d..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - eap_identity=carol - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 23d79cf2e..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index 8aa2ab97e..47b9affed 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -1,10 +1,21 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - retransmit_timeout = + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 3 + } + } plugins { eap-ttls { max_message_count = 0 @@ -18,3 +29,7 @@ charon { } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6925f0f90 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + eap_id = carol + aaa_id = aaa.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 4846af279..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - eap_identity=dave - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 02e0c9963..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index aea7a71f9..d00808398 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -1,10 +1,21 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - retransmit_timeout = + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 3 + } + } plugins { eap-ttls { max_message_count = 0 @@ -19,6 +30,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-os { diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0870cf04b --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + eap_id = dave + aaa_id = aaa.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 02ada5665..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightsendcert=never - right=%any - eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf index fc647a079..8b931afc9 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf @@ -1,8 +1,14 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown + multiple_authentication=no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..6ec8d3428 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,53 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + certs = moonCert.pem + } + remote { + auth = eap-radius + eap_id = %any + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = eap-radius + eap_id = %any + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat index fe9f59e44..e5ec2afc7 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -1,8 +1,10 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::ipsec stop +moon::service charon stop +carol::service charon stop +dave::service charon stop +alice::service charon stop alice::service apache2 stop +alice::rm /etc/swanctl/x509/aaaCert.pem +alice::rm /etc/swanctl/rsa/aaaKey.pem moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat index 4b8d3f024..6292d6909 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -1,6 +1,12 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +alice::rm /etc/swanctl/x509/aliceCert.pem +alice::rm /etc/swanctl/rsa/aliceKey.pem +carol::rm /etc/swanctl/x509/carolCert.pem +carol::rm /etc/swanctl/rsa/carolKey.pem +dave::rm /etc/swanctl/x509/daveCert.pem +dave::rm /etc/swanctl/rsa/daveKey.pem alice::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config @@ -12,12 +18,12 @@ alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql dat alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan alice::service apache2 start -alice::ipsec start -moon::ipsec start -dave::ipsec start -carol::ipsec start +alice::service charon start +moon::service charon start +dave::service charon start +carol::service charon start dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf index 345e91150..18522e76e 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave alice" # DBHOSTS="alice" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 7b2118f7e..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tls 2, tnc 2, imv 3" - -conn aaa - leftcert=aaaCert.pem - leftid=aaa.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem deleted file mode 100644 index 42083c2a9..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX -z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii -95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS -rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6 -fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR -dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig -kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y -Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs -nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/ -TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2 -FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ -GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH -sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73 -xyr/Qw== ------END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem deleted file mode 100644 index adc47dd33..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl -h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l -0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a -VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S -W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD -e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k -nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj -AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/ -/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs -P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF -sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek -uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj -PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5 -hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg -Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+ -Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL -SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU -zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH -xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I -XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF -hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9 -AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO -Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH -yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5 -9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 11d45cd14..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA aaaKey.pem - -carol : EAP "Ar3etTnp" -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index 5fa49e7a7..d1cb6c9e2 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -1,8 +1,21 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 nonce x509 openssl curl revocation constraints socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + } + syslog { + auth { + default = 0 + } + daemon { + tls = 2 + tnc = 2 + imv = 3 + } + } plugins { tnc-pdp { server = aaa.strongswan.org diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem new file mode 100644 index 000000000..adc47dd33 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl +h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l +0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a +VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S +W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD +e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k +nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj +AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/ +/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs +P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF +sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek +uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj +PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5 +hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg +Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+ +Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL +SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU +zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH +xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I +XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF +hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9 +AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO +Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH +yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5 +9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..635620b7d --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,7 @@ +secrets { + + eap-carol { + id = carol + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem new file mode 100644 index 000000000..42083c2a9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX +z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii +95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS +rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6 +fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR +dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig +kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs +nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/ +TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2 +FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ +GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH +sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73 +xyr/Qw== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4a41e7ed9..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index d2f6378b8..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options index d485e9bf7..52a3673b3 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options @@ -1,6 +1,6 @@ --connect aaa.strongswan.org --client carol --secret "Ar3etTnp" ---cert /etc/ipsec.d/cacerts/strongswanCert.pem +--cert /etc/swanctl/x509ca/strongswanCert.pem --quiet --debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..28da4d427 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# the PT-TLS client reads its configuration and secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 4a41e7ed9..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index d2f6378b8..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options index ca3ca3aa1..08953142f 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options @@ -1,7 +1,7 @@ --connect aaa.strongswan.org --client dave@strongswan.org ---key /etc/ipsec.d/private/daveKey.pem ---cert /etc/ipsec.d/certs/daveCert.pem ---cert /etc/ipsec.d/cacerts/strongswanCert.pem +--key /etc/swanctl/rsa/daveKey.pem +--cert /etc/swanctl/x509/daveCert.pem +--cert /etc/swanctl/x509ca/strongswanCert.pem --quiet --debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..28da4d427 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# the PT-TLS client reads its configuration and secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf deleted file mode 100644 index ecd9d47aa..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 41cf8f84b..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..27f96a620 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1 @@ +# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat index 2f45a149d..09c8a6cbc 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -1,8 +1,10 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::ipsec stop +alice::service charon stop alice::service apache2 stop +alice::rm /etc/swanctl/rsa/aaaKey.pem +alice::rm /etc/swanctl/x509/aaaCert.pem alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat index e14ba8902..ea93b2d2b 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -11,8 +11,10 @@ alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan +alice::rm /etc/swanctl/x509/aliceCert.pem +alice::rm /etc/swanctl/rsa/aliceKey.pem alice::service apache2 start -alice::ipsec start +alice::service charon start alice::expect-connection aaa winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf index baeceb92b..08ea543e2 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf @@ -23,3 +23,7 @@ IPSECHOSTS="carol moon dave alice" # Guest instances on which databases are used # DBHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat index 8c9e59a56..88b89c91c 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -1,19 +1,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf deleted file mode 100644 index d17473db1..000000000 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf index 9f410d1bc..f4fb7e2dc 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -1,9 +1,28 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + pts = 3 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf deleted file mode 100644 index d459bfc6c..000000000 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index c69f9454d..b7a772692 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -1,12 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - retransmit_timeout = + load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + pts = 3 + } + } plugins { tnc-imc { preferred_language = de @@ -14,6 +26,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-os { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf deleted file mode 100644 index bc8b2d8f9..000000000 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index 38b2e2ec2..117ca715c 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -1,10 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + pts = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -14,6 +28,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat index 74b902c69..ce72d2ca9 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat index 345f54816..4b1c45ef9 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -8,12 +8,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -dave::ipsec start -carol::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +dave::service charon start +carol::service charon start dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf index 2fd3139f5..005df9a0c 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # DBHOSTS="moon" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat index d67756349..a531ddf08 100644 --- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat @@ -1,19 +1,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/28]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp new file mode 100644 index 000000000..f57c1e1ec Binary files /dev/null and b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp differ diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf deleted file mode 100644 index d17473db1..000000000 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf index 0c934295f..2eb34841d 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf @@ -1,9 +1,28 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + pts = 3 + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..c35df4fbc --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf deleted file mode 100644 index d459bfc6c..000000000 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index b6c9ab661..e9fa8cb80 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -1,11 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - retransmit_timeout = + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + pts = 3 + } + } plugins { tnc-imc { preferred_language = de @@ -13,6 +26,10 @@ charon { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-os { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..dd349a087 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf deleted file mode 100644 index bc8b2d8f9..000000000 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3, pts 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index d9d0624f5..4b024e9a8 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -1,12 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite - - retransmit_timeout = + load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + pts = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -16,6 +28,10 @@ charon { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..c7e9b1ef2 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-ecp256 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat index 74b902c69..ce72d2ca9 100644 --- a/testing/tests/tnc/tnccs-20-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat index 345f54816..4b1c45ef9 100644 --- a/testing/tests/tnc/tnccs-20-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat @@ -8,12 +8,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -dave::ipsec start -carol::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +dave::service charon start +carol::service charon start dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf index 2fd3139f5..005df9a0c 100644 --- a/testing/tests/tnc/tnccs-20-pts/test.conf +++ b/testing/tests/tnc/tnccs-20-pts/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # DBHOSTS="moon" +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat index c69940c4b..b94dc5e2c 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf deleted file mode 100644 index a483d6df8..000000000 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf index 85287fb51..7e51900a1 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 11378131a..000000000 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf index f068d121e..4aeda6674 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 2 + } + } plugins { tnc-imc { preferred_language = ru , de, en @@ -12,6 +25,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf deleted file mode 100644 index b1093d46d..000000000 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf index 009e2ef13..902e837f5 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 2 + } + } plugins { eap-ttls { phase2_method = md5 @@ -14,6 +27,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imv-test { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat index 85622034d..c8ab14343 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat @@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-server-retry/test.conf b/testing/tests/tnc/tnccs-20-server-retry/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/test.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat index fe1becb97..ff9ac28b8 100644 --- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf deleted file mode 100644 index eece9f294..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf index 6c7ef551f..73f32424e 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..7898275dd --- /dev/null +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs = carolCert.pem + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 362042656..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imc 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf index 67c3007f4..07df4c086 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imc = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..73c379cd2 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs =daveCert.pem + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0ec930286..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 2, imv 2" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid="C=CH, O=Linux strongSwan, OU=*, CN=*" - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf index a408b734e..7aef92f39 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 2 + imv = 2 + } + } plugins { eap-ttls { request_peer_auth = yes @@ -13,3 +26,7 @@ charon { } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..99ef2c98c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,50 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat index 85622034d..709a7714b 100644 --- a/testing/tests/tnc/tnccs-20-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat @@ -4,10 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-20-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-tls/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat index c69940c4b..b94dc5e2c 100644 --- a/testing/tests/tnc/tnccs-20/evaltest.dat +++ b/testing/tests/tnc/tnccs-20/evaltest.dat @@ -1,19 +1,18 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e2bf349d9..000000000 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf index c1693c156..887806475 100644 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf @@ -1,9 +1,27 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 77446cbae..000000000 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf index d8026b2dc..e78272b43 100644 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { tnc-imc { preferred_language = ru, pl , de @@ -12,6 +25,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e21ef0d14..000000000 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf index 9c13fcb67..165c5ccb9 100644 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf @@ -1,10 +1,23 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -14,6 +27,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imv-test { diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-20/posttest.dat +++ b/testing/tests/tnc/tnccs-20/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat index 85622034d..c8ab14343 100644 --- a/testing/tests/tnc/tnccs-20/pretest.dat +++ b/testing/tests/tnc/tnccs-20/pretest.dat @@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20/test.conf b/testing/tests/tnc/tnccs-20/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-20/test.conf +++ b/testing/tests/tnc/tnccs-20/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat index 3d0c55449..2bb125430 100644 --- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat +++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat @@ -1,11 +1,9 @@ carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES moon:: cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES moon:: cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES @@ -18,10 +16,11 @@ moon:: cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES -moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO - +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf deleted file mode 100644 index e2bf349d9..000000000 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf index a81460b95..609852bc7 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf @@ -1,11 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no integrity_test = yes + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-1.1 @@ -13,6 +26,10 @@ charon { } } +ilibtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..0f266dd93 --- /dev/null +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = carol@strongswan.org + secret = "Ar3etTnp" + } +} diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 77446cbae..000000000 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightauth=any - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf index b64aeeb93..2c0deca5e 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf @@ -1,11 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication=no integrity_test = yes + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imc = 3 + } + } plugins { eap-tnc { protocol = tnccs-2.0 @@ -13,6 +26,10 @@ charon { } } +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + libimcv { plugins { imc-test { diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..989ab88c7 --- /dev/null +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf deleted file mode 100644 index e21ef0d14..000000000 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf index 45c132fe8..d61bcd111 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf @@ -1,11 +1,24 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown multiple_authentication=no integrity_test = yes + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + syslog { + auth { + default = 0 + } + daemon { + tnc = 3 + imv = 3 + } + } plugins { eap-ttls { phase2_method = md5 @@ -18,3 +31,8 @@ charon { } } } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} + diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 000000000..1238c1a91 --- /dev/null +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,64 @@ +connections { + + rw-allow { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = allow + } + children { + rw-allow { + local_ts = 10.1.0.0/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } + + rw-isolate { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + id = moon.strongswan.org + } + remote { + auth = eap-ttls + id = *@strongswan.org + groups = isolate + } + children { + rw-isolate { + local_ts = 10.1.0.16/28 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp" + } + eap-dave { + id = dave@strongswan.org + secret = "W7R0g3do" + } +} diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat index 1865a1c60..770cf6ede 100644 --- a/testing/tests/tnc/tnccs-dynamic/posttest.dat +++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::service charon stop +dave::service charon stop +moon::service charon stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat index 927b89d06..c8ab14343 100644 --- a/testing/tests/tnc/tnccs-dynamic/pretest.dat +++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat @@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::LEAK_DETECTIVE_DISABLE=1 ipsec start -carol::LEAK_DETECTIVE_DISABLE=1 ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/x509/* +dave::rm /etc/swanctl/x509/* +moon::service charon start +carol::service charon start +dave::service charon start carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-dynamic/test.conf b/testing/tests/tnc/tnccs-dynamic/test.conf index a8a05af19..f6db73912 100644 --- a/testing/tests/tnc/tnccs-dynamic/test.conf +++ b/testing/tests/tnc/tnccs-dynamic/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS= +# charon controlled by swanctl +# +SWANCTL=1 -- cgit v1.2.3