From 568905f488e63e28778f87ac0e38d845f45bae79 Mon Sep 17 00:00:00 2001 From: René Mayrhofer Date: Sat, 5 Mar 2011 09:20:09 +0100 Subject: Imported Upstream version 4.5.1 --- testing/INSTALL | 13 +- testing/Makefile.in | 4 +- testing/do-tests.in | 1 + testing/hosts/default/etc/hosts | 2 + testing/hosts/default/etc/ipsec.d/tables.sql | 38 ++- testing/hosts/winnetou/etc/openssl/index.txt | 1 + testing/hosts/winnetou/etc/openssl/index.txt.old | 1 + testing/hosts/winnetou/etc/openssl/newcerts/23.pem | 25 ++ testing/hosts/winnetou/etc/openssl/serial | 2 +- testing/hosts/winnetou/etc/openssl/serial.old | 2 +- testing/scripts/build-umlrootfs | 20 ++ testing/scripts/kstart-umls | 2 +- testing/scripts/xstart-umls | 2 +- testing/testing.conf | 18 +- testing/tests/ha/both-active/description.txt | 8 + testing/tests/ha/both-active/evaltest.dat | 20 ++ .../ha/both-active/hosts/alice/etc/init.d/iptables | 104 ++++++++ .../ha/both-active/hosts/alice/etc/ipsec.conf | 22 ++ .../hosts/alice/etc/ipsec.d/certs/marsCert.pem | 25 ++ .../hosts/alice/etc/ipsec.d/private/marsKey.pem | 27 ++ .../ha/both-active/hosts/alice/etc/ipsec.secrets | 3 + .../ha/both-active/hosts/alice/etc/strongswan.conf | 15 ++ .../ha/both-active/hosts/carol/etc/ipsec.conf | 23 ++ .../ha/both-active/hosts/carol/etc/strongswan.conf | 5 + .../tests/ha/both-active/hosts/dave/etc/ipsec.conf | 23 ++ .../ha/both-active/hosts/dave/etc/strongswan.conf | 6 + .../ha/both-active/hosts/moon/etc/init.d/iptables | 104 ++++++++ .../tests/ha/both-active/hosts/moon/etc/ipsec.conf | 22 ++ .../hosts/moon/etc/ipsec.d/certs/marsCert.pem | 25 ++ .../hosts/moon/etc/ipsec.d/private/marsKey.pem | 27 ++ .../ha/both-active/hosts/moon/etc/ipsec.secrets | 3 + .../ha/both-active/hosts/moon/etc/strongswan.conf | 15 ++ testing/tests/ha/both-active/posttest.dat | 17 ++ testing/tests/ha/both-active/pretest.dat | 18 ++ testing/tests/ha/both-active/test.conf | 21 ++ testing/tests/ikev1/dpd-restart/evaltest.dat | 4 +- testing/tests/ikev1/dynamic-initiator/pretest.dat | 2 +- testing/tests/ikev1/dynamic-responder/pretest.dat | 2 +- testing/tests/ikev1/net2net-start/pretest.dat | 2 +- testing/tests/ikev1/xauth-rsa-fail/description.txt | 2 +- .../tests/ikev1/xauth-rsa-nosecret/description.txt | 2 +- .../tests/ikev2/critical-extension/description.txt | 5 + .../tests/ikev2/critical-extension/evaltest.dat | 6 + .../critical-extension/hosts/moon/etc/ipsec.conf | 25 ++ .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 0 -> 952 bytes .../hosts/moon/etc/strongswan.conf | 12 + .../critical-extension/hosts/sun/etc/ipsec.conf | 25 ++ .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 0 -> 951 bytes .../hosts/sun/etc/strongswan.conf | 6 + .../tests/ikev2/critical-extension/posttest.dat | 5 + testing/tests/ikev2/critical-extension/pretest.dat | 6 + testing/tests/ikev2/critical-extension/test.conf | 21 ++ .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../rw-eap-tnc-11-radius-block/description.txt | 11 + .../ikev2/rw-eap-tnc-11-radius-block/evaltest.dat | 14 ++ .../hosts/alice/etc/raddb/clients.conf | 4 + .../hosts/alice/etc/raddb/dictionary | 2 + .../hosts/alice/etc/raddb/dictionary.tnc | 5 + .../hosts/alice/etc/raddb/eap.conf | 25 ++ .../hosts/alice/etc/raddb/proxy.conf | 5 + .../hosts/alice/etc/raddb/radiusd.conf | 120 +++++++++ .../hosts/alice/etc/raddb/sites-available/default | 44 ++++ .../alice/etc/raddb/sites-available/inner-tunnel | 32 +++ .../etc/raddb/sites-available/inner-tunnel-second | 23 ++ .../hosts/alice/etc/raddb/users | 2 + .../hosts/alice/etc/tnc_config | 3 + .../hosts/carol/etc/ipsec.conf | 24 ++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../hosts/carol/etc/tnc_config | 3 + .../hosts/dave/etc/ipsec.conf | 24 ++ .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../hosts/dave/etc/tnc_config | 3 + .../hosts/moon/etc/init.d/iptables | 84 +++++++ .../hosts/moon/etc/ipsec.conf | 25 ++ .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 12 + .../ikev2/rw-eap-tnc-11-radius-block/posttest.dat | 8 + .../ikev2/rw-eap-tnc-11-radius-block/pretest.dat | 15 ++ .../ikev2/rw-eap-tnc-11-radius-block/test.conf | 26 ++ .../ikev2/rw-eap-tnc-11-radius/description.txt | 10 + .../tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat | 19 ++ .../hosts/alice/etc/raddb/clients.conf | 4 + .../hosts/alice/etc/raddb/dictionary | 2 + .../hosts/alice/etc/raddb/dictionary.tnc | 5 + .../hosts/alice/etc/raddb/eap.conf | 25 ++ .../hosts/alice/etc/raddb/proxy.conf | 5 + .../hosts/alice/etc/raddb/radiusd.conf | 120 +++++++++ .../hosts/alice/etc/raddb/sites-available/default | 44 ++++ .../alice/etc/raddb/sites-available/inner-tunnel | 32 +++ .../etc/raddb/sites-available/inner-tunnel-second | 36 +++ .../hosts/alice/etc/raddb/users | 2 + .../hosts/alice/etc/tnc_config | 3 + .../hosts/carol/etc/ipsec.conf | 24 ++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf | 24 ++ .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config | 3 + .../hosts/moon/etc/init.d/iptables | 84 +++++++ .../rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf | 35 +++ .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 13 + .../tests/ikev2/rw-eap-tnc-11-radius/posttest.dat | 8 + .../tests/ikev2/rw-eap-tnc-11-radius/pretest.dat | 18 ++ testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf | 26 ++ testing/tests/ikev2/rw-eap-tnc-11/description.txt | 9 + testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat | 19 ++ .../ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf | 23 ++ .../rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets | 3 + .../rw-eap-tnc-11/hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config | 3 + .../ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf | 23 ++ .../rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets | 3 + .../rw-eap-tnc-11/hosts/dave/etc/strongswan.conf | 6 + .../rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config | 3 + .../ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf | 36 +++ .../rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets | 6 + .../rw-eap-tnc-11/hosts/moon/etc/strongswan.conf | 13 + .../ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config | 3 + testing/tests/ikev2/rw-eap-tnc-11/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-11/pretest.dat | 15 ++ testing/tests/ikev2/rw-eap-tnc-11/test.conf | 26 ++ .../ikev2/rw-eap-tnc-20-block/description.txt | 11 + .../tests/ikev2/rw-eap-tnc-20-block/evaltest.dat | 12 + .../rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf | 23 ++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 14 ++ .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-block/hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf | 23 ++ .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 14 ++ .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-block/hosts/dave/etc/tnc_config | 3 + .../rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf | 26 ++ .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 19 ++ .../rw-eap-tnc-20-block/hosts/moon/etc/tnc_config | 3 + .../tests/ikev2/rw-eap-tnc-20-block/posttest.dat | 6 + .../tests/ikev2/rw-eap-tnc-20-block/pretest.dat | 15 ++ testing/tests/ikev2/rw-eap-tnc-20-block/test.conf | 26 ++ .../tests/ikev2/rw-eap-tnc-20-tls/description.txt | 10 + testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat | 19 ++ .../rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf | 24 ++ .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf | 24 ++ .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config | 3 + .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf | 36 +++ .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 16 ++ .../rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config | 3 + testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat | 15 ++ testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf | 26 ++ testing/tests/ikev2/rw-eap-tnc-20/description.txt | 11 + testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat | 19 ++ .../ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf | 23 ++ .../rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets | 3 + .../rw-eap-tnc-20/hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config | 4 + .../ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf | 23 ++ .../rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets | 3 + .../rw-eap-tnc-20/hosts/dave/etc/strongswan.conf | 11 + .../rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config | 4 + .../ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf | 36 +++ .../rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets | 6 + .../rw-eap-tnc-20/hosts/moon/etc/strongswan.conf | 16 ++ .../ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config | 4 + testing/tests/ikev2/rw-eap-tnc-20/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-20/pretest.dat | 15 ++ testing/tests/ikev2/rw-eap-tnc-20/test.conf | 26 ++ .../tests/ikev2/rw-eap-tnc-block/description.txt | 8 - testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat | 12 - .../rw-eap-tnc-block/hosts/carol/etc/ipsec.conf | 23 -- .../rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-block/hosts/carol/etc/tnc_config | 3 - .../rw-eap-tnc-block/hosts/dave/etc/ipsec.conf | 23 -- .../rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-block/hosts/dave/etc/tnc_config | 3 - .../rw-eap-tnc-block/hosts/moon/etc/ipsec.conf | 26 -- .../rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 13 - .../rw-eap-tnc-block/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc-block/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc-block/pretest.dat | 15 -- testing/tests/ikev2/rw-eap-tnc-block/test.conf | 26 -- .../tests/ikev2/rw-eap-tnc-dynamic/description.txt | 12 + .../tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat | 27 ++ .../rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf | 23 ++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config | 4 + .../rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf | 23 ++ .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config | 4 + .../rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf | 36 +++ .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 16 ++ .../rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config | 4 + .../tests/ikev2/rw-eap-tnc-dynamic/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat | 15 ++ testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf | 26 ++ .../ikev2/rw-eap-tnc-radius-block/description.txt | 11 - .../ikev2/rw-eap-tnc-radius-block/evaltest.dat | 14 -- .../hosts/alice/etc/raddb/clients.conf | 4 - .../hosts/alice/etc/raddb/dictionary | 2 - .../hosts/alice/etc/raddb/dictionary.tnc | 5 - .../hosts/alice/etc/raddb/eap.conf | 25 -- .../hosts/alice/etc/raddb/proxy.conf | 5 - .../hosts/alice/etc/raddb/radiusd.conf | 120 --------- .../hosts/alice/etc/raddb/sites-available/default | 44 ---- .../alice/etc/raddb/sites-available/inner-tunnel | 32 --- .../etc/raddb/sites-available/inner-tunnel-second | 23 -- .../hosts/alice/etc/raddb/users | 2 - .../hosts/alice/etc/tnc_config | 3 - .../hosts/carol/etc/ipsec.conf | 24 -- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../hosts/carol/etc/tnc_config | 3 - .../hosts/dave/etc/ipsec.conf | 24 -- .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../hosts/dave/etc/tnc_config | 3 - .../hosts/moon/etc/init.d/iptables | 84 ------- .../hosts/moon/etc/ipsec.conf | 25 -- .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 12 - .../ikev2/rw-eap-tnc-radius-block/posttest.dat | 8 - .../ikev2/rw-eap-tnc-radius-block/pretest.dat | 15 -- .../tests/ikev2/rw-eap-tnc-radius-block/test.conf | 26 -- .../tests/ikev2/rw-eap-tnc-radius/description.txt | 10 - testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat | 19 -- .../hosts/alice/etc/raddb/clients.conf | 4 - .../hosts/alice/etc/raddb/dictionary | 2 - .../hosts/alice/etc/raddb/dictionary.tnc | 5 - .../hosts/alice/etc/raddb/eap.conf | 25 -- .../hosts/alice/etc/raddb/proxy.conf | 5 - .../hosts/alice/etc/raddb/radiusd.conf | 120 --------- .../hosts/alice/etc/raddb/sites-available/default | 44 ---- .../alice/etc/raddb/sites-available/inner-tunnel | 32 --- .../etc/raddb/sites-available/inner-tunnel-second | 36 --- .../rw-eap-tnc-radius/hosts/alice/etc/raddb/users | 2 - .../rw-eap-tnc-radius/hosts/alice/etc/tnc_config | 3 - .../rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf | 24 -- .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-radius/hosts/carol/etc/tnc_config | 3 - .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf | 24 -- .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-radius/hosts/dave/etc/tnc_config | 3 - .../hosts/moon/etc/init.d/iptables | 84 ------- .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf | 35 --- .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 13 - testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat | 8 - testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat | 18 -- testing/tests/ikev2/rw-eap-tnc-radius/test.conf | 26 -- testing/tests/ikev2/rw-eap-tnc-tls/description.txt | 7 - testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat | 19 -- .../rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf | 24 -- .../rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-tls/hosts/carol/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf | 24 -- .../rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf | 36 --- .../rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets | 6 - .../rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf | 13 - .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat | 15 -- testing/tests/ikev2/rw-eap-tnc-tls/test.conf | 26 -- testing/tests/ikev2/rw-eap-tnc/description.txt | 9 - testing/tests/ikev2/rw-eap-tnc/evaltest.dat | 19 -- .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf | 23 -- .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets | 3 - .../rw-eap-tnc/hosts/carol/etc/strongswan.conf | 6 - .../rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf | 23 -- .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets | 3 - .../rw-eap-tnc/hosts/dave/etc/strongswan.conf | 6 - .../rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf | 36 --- .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets | 6 - .../rw-eap-tnc/hosts/moon/etc/strongswan.conf | 13 - .../ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc/pretest.dat | 15 -- testing/tests/ikev2/rw-eap-tnc/test.conf | 26 -- .../ikev2/two-certs/hosts/carol/etc/ipsec.conf | 1 + .../critical-extension/description.txt | 5 + .../openssl-ikev2/critical-extension/evaltest.dat | 6 + .../critical-extension/hosts/moon/etc/ipsec.conf | 25 ++ .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 0 -> 952 bytes .../hosts/moon/etc/strongswan.conf | 12 + .../critical-extension/hosts/sun/etc/ipsec.conf | 25 ++ .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 0 -> 951 bytes .../hosts/sun/etc/strongswan.conf | 6 + .../openssl-ikev2/critical-extension/posttest.dat | 5 + .../openssl-ikev2/critical-extension/pretest.dat | 6 + .../openssl-ikev2/critical-extension/test.conf | 21 ++ testing/tests/p2pnat/behind-same-nat/pretest.dat | 2 +- testing/tests/p2pnat/medsrv-psk/pretest.dat | 2 +- testing/tests/sql/multi-level-ca/description.txt | 6 + testing/tests/sql/multi-level-ca/evaltest.dat | 18 ++ .../sql/multi-level-ca/hosts/carol/etc/ipsec.conf | 7 + .../hosts/carol/etc/ipsec.d/data.sql | 192 ++++++++++++++ .../multi-level-ca/hosts/carol/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/carol/etc/strongswan.conf | 10 + .../sql/multi-level-ca/hosts/dave/etc/ipsec.conf | 7 + .../multi-level-ca/hosts/dave/etc/ipsec.d/data.sql | 194 ++++++++++++++ .../multi-level-ca/hosts/dave/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/dave/etc/strongswan.conf | 10 + .../sql/multi-level-ca/hosts/moon/etc/ipsec.conf | 7 + .../multi-level-ca/hosts/moon/etc/ipsec.d/data.sql | 164 ++++++++++++ .../multi-level-ca/hosts/moon/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/multi-level-ca/posttest.dat | 10 + testing/tests/sql/multi-level-ca/pretest.dat | 18 ++ testing/tests/sql/multi-level-ca/test.conf | 21 ++ .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql | 4 +- .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql | 4 +- .../tests/sql/net2net-route-pem/description.txt | 10 + testing/tests/sql/net2net-route-pem/evaltest.dat | 16 ++ .../net2net-route-pem/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 249 ++++++++++++++++++ .../net2net-route-pem/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + .../sql/net2net-route-pem/hosts/sun/etc/ipsec.conf | 8 + .../hosts/sun/etc/ipsec.d/data.sql | 249 ++++++++++++++++++ .../net2net-route-pem/hosts/sun/etc/ipsec.secrets | 3 + .../hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-route-pem/posttest.dat | 6 + testing/tests/sql/net2net-route-pem/pretest.dat | 13 + testing/tests/sql/net2net-route-pem/test.conf | 21 ++ .../tests/sql/net2net-start-pem/description.txt | 10 + testing/tests/sql/net2net-start-pem/evaltest.dat | 12 + .../net2net-start-pem/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 279 +++++++++++++++++++++ .../net2net-start-pem/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + .../sql/net2net-start-pem/hosts/sun/etc/ipsec.conf | 8 + .../hosts/sun/etc/ipsec.d/data.sql | 273 ++++++++++++++++++++ .../net2net-start-pem/hosts/sun/etc/ipsec.secrets | 3 + .../hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-start-pem/posttest.dat | 6 + testing/tests/sql/net2net-start-pem/pretest.dat | 11 + testing/tests/sql/net2net-start-pem/test.conf | 21 ++ 381 files changed, 5016 insertions(+), 1732 deletions(-) create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/23.pem create mode 100644 testing/tests/ha/both-active/description.txt create mode 100644 testing/tests/ha/both-active/evaltest.dat create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ha/both-active/posttest.dat create mode 100644 testing/tests/ha/both-active/pretest.dat create mode 100644 testing/tests/ha/both-active/test.conf create mode 100644 testing/tests/ikev2/critical-extension/description.txt create mode 100644 testing/tests/ikev2/critical-extension/evaltest.dat create mode 100755 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/critical-extension/posttest.dat create mode 100644 testing/tests/ikev2/critical-extension/pretest.dat create mode 100644 testing/tests/ikev2/critical-extension/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc/test.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/description.txt create mode 100644 testing/tests/openssl-ikev2/critical-extension/evaltest.dat create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/posttest.dat create mode 100644 testing/tests/openssl-ikev2/critical-extension/pretest.dat create mode 100644 testing/tests/openssl-ikev2/critical-extension/test.conf create mode 100644 testing/tests/sql/multi-level-ca/description.txt create mode 100644 testing/tests/sql/multi-level-ca/evaltest.dat create mode 100755 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/multi-level-ca/posttest.dat create mode 100644 testing/tests/sql/multi-level-ca/pretest.dat create mode 100644 testing/tests/sql/multi-level-ca/test.conf create mode 100644 testing/tests/sql/net2net-route-pem/description.txt create mode 100644 testing/tests/sql/net2net-route-pem/evaltest.dat create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-route-pem/posttest.dat create mode 100644 testing/tests/sql/net2net-route-pem/pretest.dat create mode 100644 testing/tests/sql/net2net-route-pem/test.conf create mode 100644 testing/tests/sql/net2net-start-pem/description.txt create mode 100644 testing/tests/sql/net2net-start-pem/evaltest.dat create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-start-pem/posttest.dat create mode 100644 testing/tests/sql/net2net-start-pem/pretest.dat create mode 100644 testing/tests/sql/net2net-start-pem/test.conf (limited to 'testing') diff --git a/testing/INSTALL b/testing/INSTALL index 5e42925f7..bb4272eaf 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,23 +53,22 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.34.1.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.bz2 - * The Linux kernel 2.6.34.1 does not require any patches for the uml guest kernel - to successfully start up but the xfrm_mark patch must be applied for - XFRM MARK support. + * The Linux kernel 2.6.36 does not require any patches for the uml guest kernel + to successfully start up. * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.34 + http://download.strongswan.org/uml/.config-2.6.36 * A gentoo-based UML file system (compressed size 130 MBytes) found at - http://download.strongswan.org/uml/gentoo-fs-20100703.tar.bz2 + http://download.strongswan.org/uml/gentoo-fs-20100830.tar.bz2 * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.4.2.tar.bz2 + http://download.strongswan.org/strongswan-4.5.1.tar.bz2 3. Creating the environment diff --git a/testing/Makefile.in b/testing/Makefile.in index 82b751fd2..cbb7555f0 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -175,9 +175,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -216,6 +214,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/testing/do-tests.in b/testing/do-tests.in index 2e67e9367..27ad200fb 100755 --- a/testing/do-tests.in +++ b/testing/do-tests.in @@ -343,6 +343,7 @@ do # $DIR/scripts/load-testconfig $testname + unset RADIUSHOSTS source $TESTDIR/test.conf diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts index fb07a2f6e..0931f450e 100644 --- a/testing/hosts/default/etc/hosts +++ b/testing/hosts/default/etc/hosts @@ -18,8 +18,10 @@ 10.1.0.40 dave2.strongswan.org dave2 10.1.0.50 carol3.strongswan.org carol3 10.1.0.51 dave3.strongswan.org dave3 +10.1.0.5 mars1.strongswan.org mars1 # virtual gateway 10.1.0.1 moon1.strongswan.org moon1 192.168.0.1 moon.strongswan.org moon +192.168.0.5 mars.strongswan.org mars # virtual gateway 192.168.0.50 alice1.strongswan.org alice1 192.168.0.100 carol.strongswan.org carol 10.3.0.1 carol1.strongswan.org carol1 diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql index eb41533cb..2917fc3fc 100644 --- a/testing/hosts/default/etc/ipsec.d/tables.sql +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -18,9 +18,11 @@ CREATE TABLE child_configs ( updown TEXT DEFAULT NULL, hostaccess INTEGER NOT NULL DEFAULT '0', mode INTEGER NOT NULL DEFAULT '2', + start_action INTEGER NOT NULL DEFAULT '0', dpd_action INTEGER NOT NULL DEFAULT '0', close_action INTEGER NOT NULL DEFAULT '0', - ipcomp INTEGER NOT NULL DEFAULT '0' + ipcomp INTEGER NOT NULL DEFAULT '0', + reqid INTEGER NOT NULL DEFAULT '0' ); DROP INDEX IF EXISTS child_configs_name; CREATE INDEX child_configs_name ON child_configs ( @@ -38,6 +40,19 @@ CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector child_cfg, traffic_selector ); +DROP TABLE IF EXISTS proposals; +CREATE TABLE proposals ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + proposal TEXT NOT NULL +); + +DROP TABLE IF EXISTS child_config_proposal; +CREATE TABLE child_config_proposal ( + child_cfg INTEGER NOT NULL, + prio INTEGER NOT NULL, + prop INTEGER NOT NULL +); + DROP TABLE IF EXISTS ike_configs; CREATE TABLE ike_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -47,6 +62,13 @@ CREATE TABLE ike_configs ( remote TEXT NOT NULL ); +DROP TABLE IF EXISTS ike_config_proposal; +CREATE TABLE ike_config_proposal ( + ike_cfg INTEGER NOT NULL, + prio INTEGER NOT NULL, + prop INTEGER NOT NULL +); + DROP TABLE IF EXISTS peer_configs; CREATE TABLE peer_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -139,6 +161,20 @@ CREATE TABLE shared_secret_identity ( PRIMARY KEY (shared_secret, identity) ); +DROP TABLE IF EXISTS certificate_authorities; +CREATE TABLE certificate_authorities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + certificate INTEGER NOT NULL +); + +DROP TABLE IF EXISTS certificate_distribution_points; +CREATE TABLE certificate_distribution_points ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + ca INTEGER NOT NULL, + type INTEGER NOT NULL, + uri TEXT NOT NULL +); + DROP TABLE IF EXISTS pools; CREATE TABLE pools ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt index dd69a793f..246f2d5b7 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -32,3 +32,4 @@ V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/ V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 150803083841Z 22 unknown /C=CH/O=Linux strongSwan/CN=aaa.strongswan.org +V 151119165922Z 23 unknown /C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old index 58a88a3cb..dd69a793f 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -31,3 +31,4 @@ V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/C V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 150803083841Z 22 unknown /C=CH/O=Linux strongSwan/CN=aaa.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/23.pem b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial index 409940768..a45fd52cc 100644 --- a/testing/hosts/winnetou/etc/openssl/serial +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -1 +1 @@ -23 +24 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old index 2bd5a0a98..409940768 100644 --- a/testing/hosts/winnetou/etc/openssl/serial.old +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -1 +1 @@ -22 +23 diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index e22b65cf4..023b71750 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -202,6 +202,16 @@ then echo -n " --enable-tnccs-11" >> $INSTALLSHELL fi +if [ "$USE_TNCCS_20" = "yes" ] +then + echo -n " --enable-tnccs-20" >> $INSTALLSHELL +fi + +if [ "$USE_TNCCS_DYNAMIC" = "yes" ] +then + echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL +fi + if [ "$USE_SQL" = "yes" ] then echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL @@ -292,6 +302,16 @@ then echo -n " --enable-gcm" >> $INSTALLSHELL fi +if [ "$USE_HA" = "yes" ] +then + echo -n " --enable-ha" >> $INSTALLSHELL +fi + +if [ "$USE_CISCO_QUIRKS" = "yes" ] +then + echo -n " --enable-cisco-quirks" >> $INSTALLSHELL +fi + echo "" >> $INSTALLSHELL echo "make -j" >> $INSTALLSHELL echo "make install" >> $INSTALLSHELL diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls index 486955a69..18dc64a9d 100755 --- a/testing/scripts/kstart-umls +++ b/testing/scripts/kstart-umls @@ -67,10 +67,10 @@ do \$SWITCH_${host} \ mem=${MEM}M con=pty con0=fd:0,fd:1" & cgecho "done" + sleep 15 fi let "x0+=dx" let "y0+=dy" - sleep 15 done if [ -z "$BOOTING_HOSTS" ] diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls index 717199606..ed2662b6c 100755 --- a/testing/scripts/xstart-umls +++ b/testing/scripts/xstart-umls @@ -67,10 +67,10 @@ do \$SWITCH_${host} \ mem=${MEM}M con=pty con0=fd:0,fd:1" & cgecho "done" + sleep 15 fi let "x0+=dx" let "y0+=dy" - sleep 15 done if [ -z "$BOOTING_HOSTS" ] diff --git a/testing/testing.conf b/testing/testing.conf index b9cb4bb30..b078ab2c0 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.35.2.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.36.2.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` # Kernel configuration file -KERNELCONFIG=$UMLTESTDIR/.config-2.6.35 +KERNELCONFIG=$UMLTESTDIR/.config-2.6.36 # Bzipped uml patch for kernel -#UMLPATCH=$UMLTESTDIR/xfrm_mark.patch.bz2 +UMLPATCH=$UMLTESTDIR/ha-2.6.36.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.4.2.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.5.1.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -48,13 +48,15 @@ USE_EAP_TNC="yes" USE_TNC_IMC="yes" USE_TNC_IMV="yes" USE_TNCCS_11="yes" +USE_TNCCS_20="yes" +USE_TNCCS_DYNAMIC="yes" USE_SQL="yes" USE_MEDIATION="yes" USE_OPENSSL="yes" USE_BLOWFISH="yes" USE_KERNEL_PFKEY="yes" USE_INTEGRITY_TEST="yes" -USE_LEAK_DETECTIVE="yes" +USE_LEAK_DETECTIVE="no" USE_LOAD_TESTER="yes" USE_TEST_VECTORS="yes" USE_GCRYPT="yes" @@ -66,12 +68,14 @@ USE_ADDRBLOCK="yes" USE_CTR="yes" USE_CCM="yes" USE_GCM="yes" +USE_HA="yes" +USE_CISCO_QUIRKS="no" # Gentoo linux root filesystem -ROOTFS=$UMLTESTDIR/gentoo-fs-20100805.tar.bz2 +ROOTFS=$UMLTESTDIR/gentoo-fs-20101120.tar.bz2 # Size of the finished root filesystem in MB -ROOTFSSIZE=700 +ROOTFSSIZE=800 # Amount of Memory to use per UML [MB]. # If "auto" is stated 1/12 of total host ram will be used. diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt new file mode 100644 index 000000000..4c64fff97 --- /dev/null +++ b/testing/tests/ha/both-active/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to the virtual gateway mars implemented by the two real gateways +alice and moon in a High Availability (HA) setup +based on ClusterIP. Depending on the hash of the IP addresses of the peers +and the SPIs, the inbound and outbound CHILD_SAs are either assigned to +segment 1 managed by alice or segment 2 handled by moon. +The IKEv2 protocol is managed by moon exclusively with passive +IKE_SAs installed on the backup gateway alice. diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat new file mode 100644 index 000000000..7256743ac --- /dev/null +++ b/testing/tests/ha/both-active/evaltest.dat @@ -0,0 +1,20 @@ +moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES +alice::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES +alice::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +alice::cat /var/log/daemon.log::HA segment 1 activated::YES +moon::cat /var/log/daemon.log::HA segment 2 activated::YES +alice::cat /var/log/daemon.log::installed HA CHILD_SA::YES +moon::cat /var/log/daemon.log::handling HA CHILD_SA::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES +carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES +dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::YES +venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES +venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..95d3b8828 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables @@ -0,0 +1,104 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # forward ESP-tunneled traffic + iptables -A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT + iptables -A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT + iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + + # clusterip rules + iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 + iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 + + # allow esp + iptables -A INPUT -p 50 -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # allow heartbeat + iptables -A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + + # allow ICMP type 3 + iptables -A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + + # allow IGMP multicasts + iptables -A INPUT -d 224.0.0.1 -p igmp -j ACCEPT + iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..09a5364f4 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..c1745ec29 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_ALICE + remote = PH_IP_MOON1 + segment_count = 2 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..79e06d4de --- /dev/null +++ b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af91a172a --- /dev/null +++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..f75e13d2e --- /dev/null +++ b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..60dbb5ba2 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..6f7a0316b --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables @@ -0,0 +1,104 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # forward ESP-tunneled traffic + iptables -A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT + iptables -A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT + iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT + + # clusterip rules + iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1 + iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1 + + # allow esp + iptables -A INPUT -p 50 -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # allow heartbeat + iptables -A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + + # allow ICMP type 3 + iptables -A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + + # allow IGMP multicasts + iptables -A INPUT -d 224.0.0.1 -p igmp -j ACCEPT + iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..09a5364f4 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1cece26d2 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_MOON1 + remote = PH_IP_ALICE + segment_count = 2 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat new file mode 100644 index 000000000..49bf76055 --- /dev/null +++ b/testing/tests/ha/both-active/posttest.dat @@ -0,0 +1,17 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +alice::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +alice::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::ip addr del 192.168.0.5/24 dev eth0 +moon::ip addr del 10.1.0.5/16 dev eth1 +alice::ip addr del 192.168.0.5/24 dev eth1 +alice::ip addr del 10.1.0.5/16 dev eth0 +alice::/etc/init.d/net.eth1 stop +venus::ip route del default via 10.1.0.5 dev eth0 +venus::ip route add default via 10.1.0.1 dev eth0 +moon::conntrack -F +alice::conntrack -F diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat new file mode 100644 index 000000000..e2e509855 --- /dev/null +++ b/testing/tests/ha/both-active/pretest.dat @@ -0,0 +1,18 @@ +moon::ip addr add 192.168.0.5/24 dev eth0 +moon::ip addr add 10.1.0.5/16 dev eth1 +alice::/etc/init.d/net.eth1 start +alice::ip addr add 192.168.0.5/24 dev eth1 +alice::ip addr add 10.1.0.5/16 dev eth0 +venus::ip route del default via 10.1.0.1 dev eth0 +venus::ip route add default via 10.1.0.5 dev eth0 +moon::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +alice::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf new file mode 100644 index 000000000..0473013e1 --- /dev/null +++ b/testing/tests/ha/both-active/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="venus carol dave" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol dave" diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index c35a8019e..8bc2e8688 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -1,7 +1,7 @@ moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::sleep 35::no output expected::NO -carol::iptables -D INPUT 1::no output expected::NO +carol::sleep 35::no output expected::NO +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index acb432172..92681011f 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -10,4 +10,4 @@ carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 1 +dave::sleep 2 diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index a330b1074..c0f166ff4 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -10,4 +10,4 @@ moon::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 1 +dave::sleep 2 diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat index ed8f39316..f0c5bcec6 100644 --- a/testing/tests/ikev1/net2net-start/pretest.dat +++ b/testing/tests/ikev1/net2net-start/pretest.dat @@ -2,4 +2,4 @@ moon::/etc/init.d/iptables start 2> /dev/null sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start -alice::sleep 12 +alice::sleep 20 diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt index 83e9d2726..98d85f30b 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/description.txt +++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt @@ -2,4 +2,4 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on RSA signatures (RSASIG) using X.509 certificates followed by extended authentication (XAUTH) based on user name and password. Because user carol presents a wrong -XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted. +XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt index ffbb47c04..a6fe82330 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt +++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt @@ -2,5 +2,5 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on RSA signatures (RSASIG) using X.509 certificates followed by extended authentication (XAUTH) based on user name and password. Because user carol cannot find her -XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the +XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev2/critical-extension/description.txt b/testing/tests/ikev2/critical-extension/description.txt new file mode 100644 index 000000000..8c0d37c88 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates which contain a critical but +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, +sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat new file mode 100644 index 000000000..8c2f8ec9d --- /dev/null +++ b/testing/tests/ikev2/critical-extension/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/daemon.log::sending end entity cert::YES +moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e3c9dde4 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bfc83ab4d --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} + +libstrongswan { + x509 { + enforce_critical = no + } +} diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..19e197131 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.der + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..cb17a9e07 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat new file mode 100644 index 000000000..a4c96e10f --- /dev/null +++ b/testing/tests/ikev2/critical-extension/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/ikev2/critical-extension/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf new file mode 100644 index 000000000..41ee3037e --- /dev/null +++ b/testing/tests/ikev2/critical-extension/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index 88f162098..47dab951f 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index 88f162098..8335e51f6 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt new file mode 100644 index 000000000..350aefc60 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements carol +is authenticated successfully and is granted access to the subnet behind moon whereas +dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat new file mode 100644 index 000000000..517ea9ab2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..2d4961288 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,23 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fc8f84638 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d2d3058d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat new file mode 100644 index 000000000..dc7d5934e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf new file mode 100644 index 000000000..bb6b68687 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt new file mode 100644 index 000000000..7eebd3d4d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat new file mode 100644 index 000000000..d0ea22ba9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..f91bccc72 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,36 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..33dcdcfb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f4e456bbe --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat new file mode 100644 index 000000000..8dd865819 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat @@ -0,0 +1,18 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf new file mode 100644 index 000000000..2a52df203 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/description.txt b/testing/tests/ikev2/rw-eap-tnc-11/description.txt new file mode 100644 index 000000000..4b4808c94 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat new file mode 100644 index 000000000..a02755148 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f8700d3c5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11/test.conf b/testing/tests/ikev2/rw-eap-tnc-11/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt new file mode 100644 index 000000000..c7422aa46 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements +carol is authenticated successfully and is granted access to the subnet behind +moon whereas dave fails the layered EAP authentication and is rejected. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat new file mode 100644 index 000000000..f1753c208 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a39b8c57 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = de, en + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..eb7007726 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = ru, fr, en + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6747b4a4a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..20caf8e84 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,19 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imv { + recommendation_policy = all + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt new file mode 100644 index 000000000..54590a951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon, +both ends doing certificate-based EAP-TLS authentication only. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat new file mode 100644 index 000000000..bbc0603b6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1b6274215 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..54c06b12e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..04a243cad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20/description.txt b/testing/tests/ikev2/rw-eap-tnc-20/description.txt new file mode 100644 index 000000000..6a9c5dde8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat new file mode 100644 index 000000000..737c9b9ef --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b76c1cd55 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..67896d543 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20/test.conf b/testing/tests/ikev2/rw-eap-tnc-20/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt deleted file mode 100644 index 51423177a..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements -carol is authenticated successfully and is granted access to the subnet behind -moon whereas dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat deleted file mode 100644 index 2304df23e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf deleted file mode 100755 index c19192dae..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 7d5ea8b83..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index 621e94f0e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -none diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 6747b4a4a..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8700d3c5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt new file mode 100644 index 000000000..21e9bc675 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of TNC client carol via the TNCCS 1.1 client-server interface and of +TNC client dave via the TNCCS 2.0 client-server interface. TNC server +moon dynamically detects which version of the IF-TNCCS protocol is used. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat new file mode 100644 index 000000000..2c7a2dbd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat @@ -0,0 +1,27 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES +moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES +moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES +moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES +moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES +moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..6a12318db --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..33945dc1e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a1a4a4747 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnccs-20 tnccs-dynamic tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-dynamic + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..67896d543 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt deleted file mode 100644 index 350aefc60..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements carol -is authenticated successfully and is granted access to the subnet behind moon whereas -dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat deleted file mode 100644 index 517ea9ab2..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary deleted file mode 100644 index 1a27a02fc..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary +++ /dev/null @@ -1,2 +0,0 @@ -$INCLUDE /usr/share/freeradius/dictionary -$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc deleted file mode 100644 index f295467a9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc +++ /dev/null @@ -1,5 +0,0 @@ -ATTRIBUTE TNC-Status 3001 integer - -VALUE TNC-Status Access 0 -VALUE TNC-Status Isolate 1 -VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default deleted file mode 100644 index 802fcfd8d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default +++ /dev/null @@ -1,44 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second deleted file mode 100644 index 2d4961288..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second +++ /dev/null @@ -1,23 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config deleted file mode 100644 index a9509a716..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for TNC@FHH-TNC-Server - -IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9cf2b43c4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 998e6c2e5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index 621e94f0e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -none diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf deleted file mode 100755 index fc8f84638..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4d2d3058d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat deleted file mode 100644 index 132752119..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::/etc/init.d/radiusd stop -alice::rm /etc/raddb/sites-enabled/inner-tunnel-second -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat deleted file mode 100644 index dc7d5934e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second -alice::cat /etc/raddb/sites-enabled/inner-tunnel-second -alice::/etc/init.d/radiusd start -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf deleted file mode 100644 index bb6b68687..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt deleted file mode 100644 index 7eebd3d4d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat deleted file mode 100644 index d0ea22ba9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary deleted file mode 100644 index 1a27a02fc..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary +++ /dev/null @@ -1,2 +0,0 @@ -$INCLUDE /usr/share/freeradius/dictionary -$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc deleted file mode 100644 index f295467a9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc +++ /dev/null @@ -1,5 +0,0 @@ -ATTRIBUTE TNC-Status 3001 integer - -VALUE TNC-Status Access 0 -VALUE TNC-Status Isolate 1 -VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default deleted file mode 100644 index 802fcfd8d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default +++ /dev/null @@ -1,44 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second deleted file mode 100644 index f91bccc72..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config deleted file mode 100644 index a9509a716..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for TNC@FHH-TNC-Server - -IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9cf2b43c4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 998e6c2e5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 33dcdcfb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,35 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f4e456bbe..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - filter_id = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat deleted file mode 100644 index 132752119..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::/etc/init.d/radiusd stop -alice::rm /etc/raddb/sites-enabled/inner-tunnel-second -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat deleted file mode 100644 index 8dd865819..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat +++ /dev/null @@ -1,18 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second -alice::cat /etc/raddb/sites-enabled/inner-tunnel-second -alice::/etc/init.d/radiusd start -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf deleted file mode 100644 index 2a52df203..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt deleted file mode 100644 index 762b839ee..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon, -bothe ends doing certificate-based EAP-TLS authentication only. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat deleted file mode 100644 index cebfff25f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 1b6274215..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 54c06b12e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 50514c99f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 8898a63ba..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - request_peer_auth = yes - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt deleted file mode 100644 index 4b4808c94..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. - diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat deleted file mode 100644 index a02755148..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf deleted file mode 100755 index c19192dae..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 7d5ea8b83..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 50514c99f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8700d3c5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index 9129f160b..08b95659f 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,6 +2,7 @@ config setup crlcheckinterval=180 + uniqueids=no strictcrlpolicy=yes plutostart=no diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt new file mode 100644 index 000000000..8c0d37c88 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates which contain a critical but +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, +sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat new file mode 100644 index 000000000..1c23dcad6 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/daemon.log::sending end entity cert::YES +moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e3c9dde4 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f4ab41f2c --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} + +libstrongswan { + x509 { + enforce_critical = no + } +} diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..19e197131 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.der + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c45805ca6 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat new file mode 100644 index 000000000..a4c96e10f --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf new file mode 100644 index 000000000..41ee3037e --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat index 912222eef..f1e33dc39 100644 --- a/testing/tests/p2pnat/behind-same-nat/pretest.dat +++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat @@ -11,4 +11,4 @@ carol::sleep 1 alice::ipsec start alice::sleep 1 venus::ipsec start -venus::sleep 2 +venus::sleep 4 diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat index a5c9a2fbb..fba7be01d 100644 --- a/testing/tests/p2pnat/medsrv-psk/pretest.dat +++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat @@ -16,4 +16,4 @@ carol::sleep 1 bob::ipsec start bob::sleep 1 alice::ipsec start -alice::sleep 2 +alice::sleep 4 diff --git a/testing/tests/sql/multi-level-ca/description.txt b/testing/tests/sql/multi-level-ca/description.txt new file mode 100644 index 000000000..123ab06b3 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/description.txt @@ -0,0 +1,6 @@ +The VPN gateway moon grants access to the subnet behind it to anyone presenting +a certificate belonging to a trust chain anchored in the strongSwan Root CA. +The hosts carol and dave have certificates from the intermediate +Research CA and Sales CA, respectively. Responder moon does not possess +copies of the Research and Sales CA certificates and must therefore request them from +the initiators carol and dave, respectively. diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat new file mode 100644 index 000000000..91113ce11 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/evaltest.dat @@ -0,0 +1,18 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..66b1473f1 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,192 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 9, X'3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420'); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'c71449851517718914a496532a1ee801b21c6aa5'); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 11, X'c400ef96d95d5ebb4b2309071f7a6cf3f65491bd' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 1, 1, X'308203c1308202a9a003020102020120300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353335305a170d3139303430343039353335305a3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b526573656172636820434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b639b23aa6e0075b58a73f4fb25a856a72f71b5d3db1e780137a95b9e961a1dfaf19c6b2f9831421591c277b7a046a43f02e2471dc12fdc351d7c9596032a559d4bdd95ca79f21063a717d33d73fd203071cd0690c94cec13120658e5546367bbc49e412819d7564a24de1b58e07af519da8d87edcb1266de809067813452471e0f289e7814efdbefc2d4cc1fab331af3c70fe59c8f2312602d2a5ba043b73d6ae31e142cfe3669527e74a85a11cde6a9bed2234acb40bedb922e13c36afa2de3b41888f01c01a87637bb622e7e5521f4d73d77f47abc6b113cc1ecdf45f51dafe6d14838f78fb0c2ac1f1016518f3c4c98c17fd521b82351374c3389decae390203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b050003820101008d6da16d1b2dcc815c0a3215e2ca1b2e1289b70d059b3fae80a173051abf47e8c8b74260c60528478738bbc8b1322389fa58e0c3f2dd20604395e972ce6f385c16f7b8cce987c1caa8f1e3eeea4c1a8e68b31705b789dcb230432262ae9a8767396c3ac71c8710a370c00c3ce0469968e974ea942e82e5c17f44161040dab11907589a9a06d4279339791344b9b9bcc51e816b0ff4391cffb6dfadc42f63c5c8c7a099ce155d2cb3b5ecddddf63ea86f286801c6354b672ab7cc3feb306db15d5c8a3d4e3acde94c08fd5476c33adad2f5730022e2ca246b4d8642b3ffaf00611eddb66c930de2036ce4d4af8537638e0c156332eeeb7205601bd6f2c1668992' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org */ + 1, 1, X'3082042c30820314a003020102020106300d06092a864886f70d01010b05003051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341301e170d3130303430373039323035375a170d3135303430363039323035375a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414c400ef96d95d5ebb4b2309071f7a6cf3f65491bd306d0603551d23046630648014e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820120301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f72657365617263682e63726c300d06092a864886f70d01010b050003820101006a380523c2b3eb5d62d0886ef3e3350b65b59056cbe04a18ca89f7b6b8d167722acfa92c7fd2922824ba162ca5ab80c68a5d26b4cb653fe1ca717cd181263de8ce023bbdf0dba962c2666c14135a64a23fe6f2913cf2f253dada1ac85fa417820b2c19e2f71bf8456220fb2dcce6222b9cbfd6d486b0c11d9e55f6259b0900a85b2d14e60b4d8edcc6c6181410ab57949f5c6447ca67753593266159eb57d9954312c0b80b17dfd572101aedc21d100d38e0e0ad4dd69b898a322c59aa0eeb6af0662f58eccb7f6a8e29c471907c4f7de243ad638b78f1189da324481914280508908f8b6896d61770124c6807aa1dbfa70535d80dc1a2f24a51a47407b532d8' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 1, X'308204a50201000282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001028201010086869c20e739d7d63b7d3744b07a369a215a289b4654bec4d325817b0daf54c57de6af4a612ee00365379ad33ee4b7e55f699b2b5ce5f5ee0e6b7abe29226a2b9b7f74ae86699042cc94d12ba3d91e433a35cfe97a0760ade5bbf175a48ceb7f2ee19f3c7035610278c291b3a721458b760c7886beff10535ed291f4287ce359f4b860c5176456044775be950ebc8f753f885742b0c74006b2d50672a8cc050e5931de65cfbc09ad0c1560a1ae3f5bd830acd8cd004a0031e6cf42368d5d21bab02666fb38b9709b71be5f1d09ccdede38e65d88548f73236847013aacabebb361ad43d2ea59d92f544b858f222497dedc9e83a44488f96c0bcd0df8df8e678102818100ff6b7443e3a6b55b11e012f9a70b73fea85a51aaa36de73b7d48b945874f5d32c5fd04e45229c1a2c9721a93fa30f9b587a17d9d7e395b5889658a0492179d52be6b8adcfc6211597fc144732d59e7a7bfbc11ef6a6dd46471a7bc9366d8f501e261b977121e99ed028d241ba8070bff85bdbacd832b92627f6c8886be0b946102818100e930460397ee15d8cce4804db29972734574f10261a0438d757f45c83deba360e147315a5def25161fdc0e797a199cd89766092aade82aec47f4712ab963b027bb803fc618492d57b7e49e75c2e417f1de1517438ac04cbc7cc7095a7bec1cf8034c79a6351c1d0a3861861f6913e25e141428609dfa5937ebe97a5fdc1643ef0281810093ea65955f43cee8e38c3150f4a5145298aa5d7b055403421746c34c7994c37340e74b2af24e0e3e388ce4c9676d6f5eea21e27e0f7825e73b025b90540e6ae45d342861dba2eb4b3a49f15b061b77a554cb1453e2fda1af5d867715a1cce8ee636c969c5718f3a926fe17b81071ac4818ea8c40b1c2ccee4fbec9bdc6572c6102818100c2ba953d1afaaf33c4a66c9e75aebe6c946bfb77499f53ca257c8b0194f3da13650cd6a1e81f7490ed3a0ebc52c260c05e6dcee9dd202bf7f47ea4a250fe76743797f9a9ab4e309737f1aa821ca5ed790544079157a50e6fb8a35da43a280a68f21842de112bd0f45ff0d0d81a1f88c19772dde51107a6c9942ffd095ff917f102818004145ff4373203f45d993b33a9e6df3cf366c7b88768d6eb6775dbbf2bf73f92e4cd79452d3bc0843cff52a9d533b0707b53867896245df9a28d18e927e53c76d79bd98cd9ded9e5ccac227f3fb4e75fcb7236af5fd5f6e4fb8407663ae55d0e58898815594b9e9dcc4721386c89af7819625ab4d141456cc50b765880e04e1c' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..b8780e56e --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,194 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA */ + 9, X'304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'5f9b1346f92072c800d588b5a74c2e97ea0b9328' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'c9ca6b980be96d5f210d7fed1529eb6c567ec26c' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 11, X'671081ec8703e10c31abdf12d53275046eba1522' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales CN=Sales CA */ + 1, 1, X'308203bb308202a3a003020102020121300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353433335a170d3139303430343039353433335a304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c657320434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c24e4d26998c37b9511fa125ba1d704e34581c569beaf41620fe14b736734847fd07169b55dfaa773da9a3cf1a8c4ed817f05e01441df39d4331c6bad861b2f74c3e49963f5677b83af0b1caab98bcaae0923cedec527a7d608260951226f9e53e1f371ad320625aa1ee899fdbfd6701b607e52bde7140ff075c91276a27173a5cbf4329c464dd3c59b6ff52b837ed13d1bbf3b3ba3c94b27f2518865773d4465ee4f4ec52801b049d030d7271df9eb6903b5f41dc1ecdab742c0c8eb1569b62aff41bf7c16702cb7abe2a185dbedc2b2f3fb8cd5e785161e4afdbee22da602381b0512350378aaa14dcdab5bcf02aceb7a4388fd157d1eb7bd2f5afc5f574810203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145f9b1346f92072c800d588b5a74c2e97ea0b9328306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b0500038201010024654ea5cc8c7cbbafbad69eaff4f721674dde9dfb2e8a9078fd92f612039abbc587663f7238f983f6aa93e762349ec9f302978648c8c5e77d46f3e4ebee5e9e12092d2021427a98aebee5fd5add449d07809ed0e7789a45084262f32850914aa7615a8573349ae5f814f56b977df9a2d600be52da9a94a103e01bae0c3e0872dd2c946f8a817a9964dc9751ffa3a00392d078db4b888ed8fdd6cc33646f9f6f38448231a764ea3761eea7a04d2c7bfa7cb8b1749a4cfa71bb6631987feedd9ee63a64386f22dd7ccebff69f510b0503e13394a3621190219566373343aca19500ab5ae4b1bc0700468b4b9773d7c15d645c7df237375fc8663fe86f9b775828' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org */ + 1, 1, X'3082041c30820304a003020102020105300d06092a864886f70d01010b0500304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341301e170d3130303430373039343234315a170d3135303430363039343234315a3056310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce70203010001a381ff3081fc30090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414671081ec8703e10c31abdf12d53275046eba1522306d0603551d230466306480145f9b1346f92072c800d588b5a74c2e97ea0b9328a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820121301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f73616c65732e63726c300d06092a864886f70d01010b05000382010100791f98e3a7d2ef103c89a7fdf1ec26aa3a12014a5e67de0ece8b58174f91872c187dfe5e62e92c24d5e7b2da8333a4782c743a202f2b65bf344a5eea49019b79c5669be48ec17e27214425786cebad37f17c0e2342846d129d81018b3462e4ad3a2c069db434f434bbfb884fc8e3d35b13c39daa7113d731eaf3699bb556421339917be726941ec47840840fe1b14ce9d82d159e2a0f80588138fdf2cdeecd1eabde25494b729bbd4b67d92630c007908c846db96f5486bb9398f84fa8f45f03cf71854c4a3a20a9ecdefaa6dfdc443e26446519dccbff5ed3a0b5989d5c242ea4039fa07e45fc273e4d845e776eb4facdcfa0b75b2ef334d9e272202d5c0abe' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 1, X'308204a50201000282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce702030100010282010100994a9a0fd5c37466f6e49729277b7353b1d4ae10352fc785654a3d7bddb9d610138ef62744418b543f9635d86662e6be82955fbde190920360673dc98c0931808ce81bdf5a68dc37d91efe33e4cc7883d23b0fc7c126c9b975b2ac130a5fcfb9399575406ae19b09aa61ea3a7fab140146a9c7865ce9887d349fa78360784f1c3a051defaf19b9e35b324ab2fb3a119897a5f27f58a7757906a1b0617b83ef6a579c6ac2c84204a7f6e4b6765e376f643b7bf074b886c49a4ad9de99eb4af4d549189aa62f37a1435ea645702bf186e4f60eff312161a7018f1a372a9b6fecccbe02b3d20cb584b18aba18dd02fe0d9c9d1bdf8af60e4d17b95795b117f475d102818100e76e0922daa0426c8196ad867cbd912b01b4399302e89566e92a45d3230cdd88d243ac46c2300841750c8bc5b17ee77c790abdef3e5f24dcd39cbb2d35e65f50048cc83315e97bbb2e478d2ec0b096604e2a690bc83f9768c6abeb39f73013359d9e97d43d75b78ada505dad5cbe8ea3484dd4207bd0628057e159b90018544f02818100e4d089fdbe62b874cc33cee7723a91285e85a66f36d3e64319a686f1f81c6318f04c916a314e48ca55d70dd5603b93038eefca897ef74056318f19b25ad7abe066c31da87127367dec9461c2683a844bfdbf9bd65636567a20dc7b390502ec50bcc7770904b8af308e3c3583892cb8831b5ff5fd9c4bc9b34c5e9b387b26efe902818008d236e2ef366091c636ba12803ab187d41ecc7b0007617a74b4b9c89c73671649fd6e599c193c975220d24b0cc2eb8be10939c81eb67daf3519aa40c4e72d06ddc587f3fa87d5c182b813778ebcac5eab5c0e78f67f0604665e332f186eeaac867f7f0605f9b0af4836fbfb19a7e1c3f38393ec510bd655520432e94c49a11d02818100c9b9988e5e34c68e222162bde59500b8686cc7c8b0bbabfb6837ca2cb522c1b310d7503420f7f5707cb135fef1f253b0056a1e538dde099873e4c730d8a9df5bdcfd13be96d38d550327e5eff0d7f61ed0bd0674b658fd707a5c273ea3ce69ecdc21b62dfb3d9f25dd9ff345ddbfd183b4b4ab38457d037bd14e6ee6229cb75102818100991ff421b606875609ed9f629b8e0c4d2cfa1fb6d39e62038ccdfff8857275256015bcdca151bae2c4397c856230bb73f4f1c345129bb3c4c1ce9cbb0bfc02d6a46aa6af48d7b20d490cef9b70e96763e547449e3767407cef57b6413bddc11f7ff808ec958ea2ecbfbdcce2cdf45e9a75a534ae548b6f457b4425182f53c97d' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..71141db03 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,164 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO certificate_authorities ( + certificate +) VALUES ( + 1 +); + +INSERT INTO certificate_distribution_points ( + ca, type, uri +) VALUES ( + 1, 1, 'http://crl.strongswan.org/strongswan.crl' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'rw', 1, 4, 6 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/multi-level-ca/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index 54086643f..ef6849c11 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -109,9 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike + name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( - 'net-net', 1, 4, 5, 0 + 'net-net', 1, 4, 5, 0, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index 2bc8b34c8..79a35ef68 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -109,9 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike + name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( - 'net-net', 1, 5, 4, 0 + 'net-net', 1, 5, 4, 0, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-route-pem/description.txt b/testing/tests/sql/net2net-route-pem/description.txt new file mode 100644 index 000000000..5a6681f6e --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and RSA private keys stored +in PEM format in an SQLite database. The IKE_SA configuration details and the +traffic selectors of three CHILD_SAs are also stored in the database and the first two of +them are marked to be automatically routed by gateway moon via the start_action +field in the child_configs table. +

+In order to trigger the IKE connection setup and subsequently test both tunnel and firewall, client +alice behind gateway moon pings client bob located behind gateway sun +and bob in turn ping client venus behind gateway moon. diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat new file mode 100644 index 000000000..eaca715d5 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/evaltest.dat @@ -0,0 +1,16 @@ +moon::ipsec statusall::net-1.*ROUTED::YES +sun::ipsec statusall::net-1.*ROUTED::YES +moon::ipsec statusall::net-2.*ROUTED::YES +sun::ipsec statusall::net-2.*ROUTED::YES +moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES +moon::ipsec statusall::net-1.*INSTALLED::YES +sun::ipsec statusall::net-1.*INSTALLED::YES +sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES +moon::ipsec statusall::net-2.*INSTALLED::YES +sun::ipsec statusall::net-2.*INSTALLED::YES +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..a35643454 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,249 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-aes192-aes256-sha256-sha384-sha512-modp3072-modp4096-modp8192' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 4, 5, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 1 +); diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..97c482e05 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,249 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp3072' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 5, 4, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 0 +); diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat new file mode 100644 index 000000000..5a537e15b --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -0,0 +1,13 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +sun::ipsec start +moon::ipsec start +moon::sleep 1 +alice::ping -c 1 PH_IP_BOB +bob::ping -c 1 PH_IP_VENUS diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/net2net-start-pem/description.txt b/testing/tests/sql/net2net-start-pem/description.txt new file mode 100644 index 000000000..ff83304e8 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and RSA private keys stored +in PEM format in an SQLite database. The IKE_SA configuration details and the +traffic selectors of three CHILD_SAs are also stored in the database and are marked to be +automatically started by gateway moon via the start_action field in the +child_configs table. +

+In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun and +bob in turn ping client venus behind gateway moon. diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat new file mode 100644 index 000000000..eaacd0133 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/evaltest.dat @@ -0,0 +1,12 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +moon::ipsec statusall::net-1.*INSTALLED::YES +sun::ipsec statusall::net-1.*INSTALLED::YES +moon::ipsec statusall::net-2.*INSTALLED::YES +sun::ipsec statusall::net-2.*INSTALLED::YES +moon::ipsec statusall::net-3.*INSTALLED::YES +sun::ipsec statusall::net-3.*INSTALLED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..e828f8902 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,279 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp2048' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192-sha384-modp3072' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128gcm128' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192gcm128' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 2, 2 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 4, 5, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 4 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 2, 4 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 1 +); diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..c5676b749 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,273 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp2048' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192-sha384-modp3072' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128gcm128' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192gcm128' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 2, 2 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 5, 4, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 4 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 4 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 0 +); diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat new file mode 100644 index 000000000..3e168960d --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -0,0 +1,11 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +sun::ipsec start +moon::ipsec start +moon::sleep 2 diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" -- cgit v1.2.3