From 51a71ee15c1bcf0e82f363a16898f571e211f9c3 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 4 Jun 2018 09:59:21 +0200 Subject: New upstream version 5.6.3 --- testing/hosts/default/etc/sysctl.conf | 2 +- testing/scripts/recipes/patches/freeradius-tnc-fhh | 2 +- testing/testing.conf | 6 ++--- .../ikev2/alg-chacha20poly1305/description.txt | 2 +- .../tests/ikev2/alg-chacha20poly1305/evaltest.dat | 8 +++---- .../dhcp-dynamic/hosts/moon/etc/iptables.rules | 4 ++-- testing/tests/ikev2/dhcp-dynamic/posttest.dat | 3 ++- .../hosts/moon/etc/iptables.rules | 4 ++-- .../hosts/moon/etc/strongswan.conf | 1 + .../dhcp-static-mac/hosts/moon/etc/iptables.rules | 4 ++-- .../ikev2/multi-level-ca-skipped/description.txt | 4 ++++ .../ikev2/multi-level-ca-skipped/evaltest.dat | 4 ++++ .../hosts/carol/etc/ipsec.conf | 21 +++++++++++++++++ .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 25 ++++++++++++++++++++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 27 ++++++++++++++++++++++ .../hosts/carol/etc/ipsec.secrets | 3 +++ .../hosts/carol/etc/strongswan.conf | 5 ++++ .../hosts/moon/etc/ipsec.conf | 25 ++++++++++++++++++++ .../moon/etc/ipsec.d/cacerts/researchCert.pem | 23 ++++++++++++++++++ .../hosts/moon/etc/strongswan.conf | 5 ++++ .../ikev2/multi-level-ca-skipped/posttest.dat | 3 +++ .../tests/ikev2/multi-level-ca-skipped/pretest.dat | 5 ++++ .../tests/ikev2/multi-level-ca-skipped/test.conf | 21 +++++++++++++++++ testing/tests/ipv6/rw-psk-ikev2/description.txt | 2 +- .../dhcp-dynamic/hosts/moon/etc/iptables.rules | 4 ++-- testing/tests/swanctl/dhcp-dynamic/posttest.dat | 5 ++-- 26 files changed, 196 insertions(+), 22 deletions(-) create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/description.txt create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/certs/carolCert.pem create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/posttest.dat create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/pretest.dat create mode 100644 testing/tests/ikev2/multi-level-ca-skipped/test.conf (limited to 'testing') diff --git a/testing/hosts/default/etc/sysctl.conf b/testing/hosts/default/etc/sysctl.conf index 43010d52e..364b64ad6 100644 --- a/testing/hosts/default/etc/sysctl.conf +++ b/testing/hosts/default/etc/sysctl.conf @@ -1,6 +1,6 @@ # # /etc/sysctl.conf - Configuration file for setting system variables -# See /etc/sysctl.d/ for additonal system variables +# See /etc/sysctl.d/ for additional system variables # See sysctl.conf (5) for information. # diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh index 6460c86a3..26a233d48 100644 --- a/testing/scripts/recipes/patches/freeradius-tnc-fhh +++ b/testing/scripts/recipes/patches/freeradius-tnc-fhh @@ -5363,7 +5363,7 @@ diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc -#define VLAN_ACCESS 2 -/* - **** -- * EAP - MD5 does not specify code, id & length but chap specifies them, +- * EAP - MD5 doesnot specify code, id & length but chap specifies them, - * for generalization purpose, complete header should be sent - * and not just value_size, value and name. - * future implementation. diff --git a/testing/testing.conf b/testing/testing.conf index 595fd9667..0da9aedad 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -24,14 +24,14 @@ fi : ${TESTDIR=/srv/strongswan-testing} # Kernel configuration -: ${KERNELVERSION=4.15} +: ${KERNELVERSION=4.15.18} : ${KERNEL=linux-$KERNELVERSION} : ${KERNELTARBALL=$KERNEL.tar.xz} : ${KERNELCONFIG=$DIR/../config/kernel/config-4.15} -: ${KERNELPATCH=ha-4.14-abicompat.patch.bz2} +: ${KERNELPATCH=ha-4.15.6-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.6.2} +: ${SWANVERSION=5.6.3} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} diff --git a/testing/tests/ikev2/alg-chacha20poly1305/description.txt b/testing/tests/ikev2/alg-chacha20poly1305/description.txt index dd8918b68..a808c4b67 100644 --- a/testing/tests/ikev2/alg-chacha20poly1305/description.txt +++ b/testing/tests/ikev2/alg-chacha20poly1305/description.txt @@ -1,5 +1,5 @@ Roadwarrior carol proposes to gateway moon the cipher suite -CHACHA20_POLY1305_256 both for IKE and ESP by defining +CHACHA20_POLY1305 both for IKE and ESP by defining ike=chacha20poly1305-prfsha256-ntru256 and esp=chacha20poly1305-ntru256 in ipsec.conf, respectively. A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat b/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat index ab54ce153..ac29c66ff 100644 --- a/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat +++ b/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat @@ -3,10 +3,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon. moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305_256::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305_256::YES -moon:: ipsec statusall 2> /dev/null::CHACHA20_POLY1305_256,::YES -carol::ipsec statusall 2> /dev/null::CHACHA20_POLY1305_256,::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305::YES +moon:: ipsec statusall 2> /dev/null::CHACHA20_POLY1305,::YES +carol::ipsec statusall 2> /dev/null::CHACHA20_POLY1305,::YES moon:: ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES carol::ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules index 2d9a466b0..792fc56bc 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules @@ -5,8 +5,8 @@ -P OUTPUT DROP -P FORWARD DROP -# allow bootpc and bootps --A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +# allow bootps (in relay mode also in OUTPUT) +-A OUTPUT -p udp --sport bootps --dport bootps -j ACCEPT -A INPUT -p udp --sport bootps --dport bootps -j ACCEPT # allow broadcasts from eth1 diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat index d4a05b28b..60be3f95c 100644 --- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat @@ -1,8 +1,9 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -venus::cat /var/state/dhcp/dhcpd.leases +venus::cat /var/lib/dhcp/dhcpd.leases venus::service isc-dhcp-server stop 2> /dev/null +venus::rm /var/lib/dhcp/dhcpd.leases*; touch /var/lib/dhcp/dhcpd.leases moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules index 2d9a466b0..792fc56bc 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules @@ -5,8 +5,8 @@ -P OUTPUT DROP -P FORWARD DROP -# allow bootpc and bootps --A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +# allow bootps (in relay mode also in OUTPUT) +-A OUTPUT -p udp --sport bootps --dport bootps -j ACCEPT -A INPUT -p udp --sport bootps --dport bootps -j ACCEPT # allow broadcasts from eth1 diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf index c4a0ff8bb..0883bf058 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf @@ -6,6 +6,7 @@ charon { plugins { dhcp { server = 10.1.255.255 + identity_lease = yes } } } diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules index 2d9a466b0..792fc56bc 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules @@ -5,8 +5,8 @@ -P OUTPUT DROP -P FORWARD DROP -# allow bootpc and bootps --A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +# allow bootps (in relay mode also in OUTPUT) +-A OUTPUT -p udp --sport bootps --dport bootps -j ACCEPT -A INPUT -p udp --sport bootps --dport bootps -j ACCEPT # allow broadcasts from eth1 diff --git a/testing/tests/ikev2/multi-level-ca-skipped/description.txt b/testing/tests/ikev2/multi-level-ca-skipped/description.txt new file mode 100644 index 000000000..a5571d00c --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/description.txt @@ -0,0 +1,4 @@ +The roadwarrior carol possesses a certificate issued by the Research CA. +The CRL for the root CA can't be fetched and thus the status of the certificate +of the Research CA is unknown and the authentication is rejected due to the +strict CRL policy enforced by the gateway moon. diff --git a/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat b/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat new file mode 100644 index 000000000..5d445c27f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/evaltest.dat @@ -0,0 +1,4 @@ +moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..297e348ea --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + auto=add diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..698e47cc0 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..3a5d7c487 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7a64dce30 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..fe69abe92 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/not-available.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..4d9fed09a --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE0MDMyMjEzNTYyMloXDTE5MDMyMTEzNTYyMlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAKHj4oUmSaG9u3QC +wjbETgexmKo6EViRjaf++QlK54ILHmPHCkN6Smzr5xpmi7P/FnBLqMlfMIQ3DCD7 +Fof/8SqaE/V9cP7TXK6c5vZHLoVU/NZW1A/HucMHSxd1DEiTfmrz8Q9RNb/r5adZ +Epbje7IRlufhpDD2hDNs1FyjmY9V9G4VfOBA/JBWlgs+A810uidNVD+YEFxDlIZG +6Kr0d5/WZowOUX7G8LUaa5kjoCS7MJONeEX2D/wtsx7Zw3f7GjFDdJfdi+CbAwBN +d8kt2l7yt7oEW9AfOcMQ7+HZOqihNrV8mCErk39p9f6zcZtYHnjM5fJlNRmc+EXC +mk13kTA= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7a64dce30 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat b/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat new file mode 100644 index 000000000..f84b7e37b --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat b/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat new file mode 100644 index 000000000..1d847c013 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/pretest.dat @@ -0,0 +1,5 @@ +moon::ipsec start +carol::ipsec start +moon::expect-connection alice +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-skipped/test.conf b/testing/tests/ikev2/multi-level-ca-skipped/test.conf new file mode 100644 index 000000000..892f51cd9 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-skipped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ipv6/rw-psk-ikev2/description.txt b/testing/tests/ipv6/rw-psk-ikev2/description.txt index 0bd1474a0..fd7369d8f 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/description.txt +++ b/testing/tests/ipv6/rw-psk-ikev2/description.txt @@ -1,4 +1,4 @@ -TThe roadwarriors carol and dave set up an IPv6 tunnel connection each +The roadwarriors carol and dave set up an IPv6 tunnel connection each to gateway moon. The authentication is based on distinct pre-shared keys and IPv6 addresses. Upon the successful establishment of the IPsec tunnels, automatically inserted ip6tables-based firewall rules let pass the tunneled traffic. diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules index 2d9a466b0..792fc56bc 100644 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules +++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules @@ -5,8 +5,8 @@ -P OUTPUT DROP -P FORWARD DROP -# allow bootpc and bootps --A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +# allow bootps (in relay mode also in OUTPUT) +-A OUTPUT -p udp --sport bootps --dport bootps -j ACCEPT -A INPUT -p udp --sport bootps --dport bootps -j ACCEPT # allow broadcasts from eth1 diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat index 37e8b02d8..466fc931c 100644 --- a/testing/tests/swanctl/dhcp-dynamic/posttest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/posttest.dat @@ -3,8 +3,9 @@ dave::swanctl --terminate --ike home carol::systemctl stop strongswan-swanctl dave::systemctl stop strongswan-swanctl moon::systemctl stop strongswan-swanctl -venus::cat /var/state/dhcp/dhcpd.leases -venus::server isc-dhcp-server stop 2> /dev/null +venus::cat /var/lib/dhcp/dhcpd.leases +venus::service isc-dhcp-server stop 2> /dev/null +venus::rm /var/lib/dhcp/dhcpd.leases*; touch /var/lib/dhcp/dhcpd.leases moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -- cgit v1.2.3