From 7a229aeb240cc750546f55ad089022f0ca7dc44f Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Sun, 22 Mar 2009 09:52:39 +0000 Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.13) --- testing/INSTALL | 6 +- testing/testing.conf | 6 +- testing/tests/ikev1/dpd-restart/description.txt | 13 ++++ testing/tests/ikev1/dpd-restart/evaltest.dat | 10 +++ .../ikev1/dpd-restart/hosts/carol/etc/ipsec.conf | 25 ++++++ .../ikev1/dpd-restart/hosts/moon/etc/ipsec.conf | 29 +++++++ testing/tests/ikev1/dpd-restart/posttest.dat | 5 ++ testing/tests/ikev1/dpd-restart/pretest.dat | 5 ++ testing/tests/ikev1/dpd-restart/test.conf | 21 +++++ testing/tests/ikev2/ip-pool-db/description.txt | 2 +- .../tests/ikev2/ip-two-pools-db/description.txt | 4 +- .../tests/ikev2/ip-two-pools-mixed/description.txt | 9 +++ .../tests/ikev2/ip-two-pools-mixed/evaltest.dat | 17 ++++ .../hosts/alice/etc/init.d/iptables | 78 +++++++++++++++++++ .../ip-two-pools-mixed/hosts/alice/etc/ipsec.conf | 23 ++++++ .../hosts/alice/etc/strongswan.conf | 5 ++ .../ip-two-pools-mixed/hosts/carol/etc/ipsec.conf | 23 ++++++ .../hosts/carol/etc/strongswan.conf | 5 ++ .../hosts/moon/etc/init.d/iptables | 91 ++++++++++++++++++++++ .../ip-two-pools-mixed/hosts/moon/etc/ipsec.conf | 27 +++++++ .../hosts/moon/etc/strongswan.conf | 14 ++++ .../tests/ikev2/ip-two-pools-mixed/posttest.dat | 9 +++ testing/tests/ikev2/ip-two-pools-mixed/pretest.dat | 13 ++++ testing/tests/ikev2/ip-two-pools-mixed/test.conf | 21 +++++ 24 files changed, 452 insertions(+), 9 deletions(-) create mode 100644 testing/tests/ikev1/dpd-restart/description.txt create mode 100644 testing/tests/ikev1/dpd-restart/evaltest.dat create mode 100755 testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/dpd-restart/posttest.dat create mode 100644 testing/tests/ikev1/dpd-restart/pretest.dat create mode 100644 testing/tests/ikev1/dpd-restart/test.conf create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/description.txt create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/posttest.dat create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/pretest.dat create mode 100644 testing/tests/ikev2/ip-two-pools-mixed/test.conf (limited to 'testing') diff --git a/testing/INSTALL b/testing/INSTALL index d09383328..27a2ddc64 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,7 +53,7 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.6.tar.bz2 * The Linux kernel 2.6.28 does not require any patches for the uml guest kernel to successfully start up. @@ -68,7 +68,7 @@ are required for the strongSwan testing environment: * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.2.12.tar.bz2 + http://download.strongswan.org/strongswan-4.2.13.tar.bz2 3. Creating the environment @@ -143,5 +143,5 @@ README document. ----------------------------------------------------------------------------- -This file is RCSID $Id: INSTALL 4846 2009-01-21 03:14:52Z andreas $ +This file is RCSID $Id: INSTALL 4893 2009-02-21 17:53:10Z andreas $ diff --git a/testing/testing.conf b/testing/testing.conf index 5871734d2..28b043905 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -14,14 +14,14 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: testing.conf 4889 2009-02-19 22:02:28Z andreas $ +# RCSID $Id: testing.conf 4893 2009-02-21 17:53:10Z andreas $ # Root directory of testing UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.28.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.28.6.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` @@ -33,7 +33,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.28 #UMLPATCH=$UMLTESTDIR/uml-2.6.26.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.2.12.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.2.13.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt new file mode 100644 index 000000000..0a309cf52 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -0,0 +1,13 @@ +The peer carol and moon both have dynamic IP addresses, so that the remote end +is defined symbolically by right=%<hostname>. The ipsec starter resolves the +fully-qualified hostname into the current IP address via a DNS lookup (simulated by an +/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option +rightallowany=yes will allow an IKE main mode rekeying to arrive from an arbitrary +IP address under the condition that the peer identity remains unchanged. When this happens +the old tunnel is replaced by an IPsec connection to the new origin. +

+In this scenario moon first initiates a tunnel to carol. After some time +the responder carol disconnects (simulated by iptables blocking IKE and ESP traffic). +moon detects via Dead Peer Detection (DPD) that the connection is down and tries to +reconnect. After a few seconds the firewall is opened again and the connection is +reestablished. diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat new file mode 100644 index 000000000..016524dd9 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES +carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +moon::sleep 35::no output expected::NO +carol::iptables -D INPUT 1::no output expected::NO +moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES +moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES +moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES +moon::cat /var/log/auth.log::DPD: Restarting connection::YES +moon::sleep 5::no output expected::NO +moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..e6938e79a --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn moon + left=%defaultroute + leftnexthop=%direct + leftsourceip=PH_IP_CAROL1 + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=%moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ae9b35e97 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + dpdaction=restart + dpddelay=5 + dpdtimeout=25 + +conn carol + left=%defaultroute + leftnexthop=%direct + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP_MOON1 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%carol.strongswan.org + rightid=carol@strongswan.org + rightsubnet=PH_IP_CAROL1/32 + auto=start diff --git a/testing/tests/ikev1/dpd-restart/posttest.dat b/testing/tests/ikev1/dpd-restart/posttest.dat new file mode 100644 index 000000000..e092608cb --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/posttest.dat @@ -0,0 +1,5 @@ +carol::ipsec stop +moon::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat new file mode 100644 index 000000000..caf89d6c6 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/pretest.dat @@ -0,0 +1,5 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +moon::sleep 4 diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf new file mode 100644 index 000000000..4d648102b --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ip-pool-db/description.txt b/testing/tests/ikev2/ip-pool-db/description.txt index 5cc500c98..7bc4ef3ab 100644 --- a/testing/tests/ikev2/ip-pool-db/description.txt +++ b/testing/tests/ikev2/ip-pool-db/description.txt @@ -2,7 +2,7 @@ The roadwarriors carol and dave set up a connection each to gatewa Both carol and dave request a virtual IP via the IKEv2 configuration payload by using the leftsourceip=%config parameter. The gateway moon assigns virtual IP addresses from a pool named bigpool that was created in an SQL database by the command -ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0. +ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0.

leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnels, carol and dave then ping the client diff --git a/testing/tests/ikev2/ip-two-pools-db/description.txt b/testing/tests/ikev2/ip-two-pools-db/description.txt index 14a3f17b5..188b4349e 100644 --- a/testing/tests/ikev2/ip-two-pools-db/description.txt +++ b/testing/tests/ikev2/ip-two-pools-db/description.txt @@ -1,9 +1,9 @@ The hosts alice, venus, carol, and dave set up tunnel connections to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP with the leftsourceip=%config parameter. Gateway moon assigns virtual -IP addresses from a pool named extpool [10.3.0.1..10.3.255.254] to hosts connecting +IP addresses from a pool named extpool [10.3.0.1..10.3.1.244] to hosts connecting to the eth0 (PH_IP_MOON) interface and virtual IP addresses from a pool named intpool -[10.4.0.1..10.4.255.254] to hosts connecting to the eth1 (PH_IP_MOON1) interface. +[10.4.0.1..10.4.1.244] to hosts connecting to the eth1 (PH_IP_MOON1) interface. Thus carol and dave are assigned PH_IP_CAROL1 and PH_IP_DAVE1, respectively, whereas alice and venus get 10.4.0.1 and 10.4.0.2, respectively. diff --git a/testing/tests/ikev2/ip-two-pools-mixed/description.txt b/testing/tests/ikev2/ip-two-pools-mixed/description.txt new file mode 100644 index 000000000..d771d006d --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/description.txt @@ -0,0 +1,9 @@ +The hosts alice and carol set up a tunnel connection each to gateway moon. +Both hosts request a virtual IP via the IKEv2 configuration payload by using the +leftsourceip=%config parameter. Gateway moon assigns virtual IP +addresses from a simple pool defined by rightsourceip=10.3.0.0/28 to hosts connecting +to the eth0 (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool +named intpool [10.4.0.1..10.4.1.244] to hosts connecting to the eth1 (PH_IP_MOON1) interface. +

+Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and +both ping the gateway moon. diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat new file mode 100644 index 000000000..1505de751 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat @@ -0,0 +1,17 @@ +carol::ipsec status::home.*INSTALLED::YES +alice::ipsec status::home.*INSTALLED::YES +moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES +moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES +moon::ipsec leases ext::1/15, 1 online::YES +moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES +moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES +moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..97b773645 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow ESP + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MOBIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..f5ce1687e --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%defaultroute + leftsourceip=%config + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_MOON1 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..e647f1e36 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..bb9d03acd --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables @@ -0,0 +1,91 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + iptables -A INPUT -i eth1 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # masquerade crl fetches to winnetou + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d80bb5305 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + +conn int + left=PH_IP_MOON1 + rightsourceip=%intpool + auto=add + +conn ext + left=PH_IP_MOON + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1b5257ccc --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql kernel-netlink updown +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat new file mode 100644 index 000000000..db5e6237f --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat @@ -0,0 +1,9 @@ +carol::ipsec stop +alice::ipsec stop +moon::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +alice::/etc/init.d/iptables stop 2> /dev/null +moon::conntrack -F +moon::ipsec pool --del intpool 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat new file mode 100644 index 000000000..b579464f2 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat @@ -0,0 +1,13 @@ +moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +alice::ipsec start +carol::sleep 2 +carol::ipsec up home +alice::ipsec up home +alice::sleep 1 diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf new file mode 100644 index 000000000..329774c0a --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice carol" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol" -- cgit v1.2.3