From 918094fde55fa0dbfd59a5f88d576efb513a88db Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 2 Jan 2019 10:45:36 +0100 Subject: New upstream version 5.7.2 --- testing/config/kernel/config-4.19 | 2690 ++++++++ testing/config/kvm/alice.xml | 6 +- testing/config/kvm/bob.xml | 2 +- testing/config/kvm/carol.xml | 2 +- testing/config/kvm/dave.xml | 2 +- testing/config/kvm/moon.xml | 2 +- testing/config/kvm/sun.xml | 2 +- testing/config/kvm/venus.xml | 2 +- testing/config/kvm/winnetou.xml | 2 +- testing/do-tests | 36 +- .../hosts/alice/etc/freeradius/3.0/clients.conf | 5 + .../hosts/alice/etc/freeradius/3.0/radiusd.conf | 99 + testing/hosts/alice/etc/freeradius/dictionary | 2 +- testing/hosts/alice/etc/freeradius/radiusd.conf | 2 - testing/hosts/default/etc/ssh/sshd_config | 2 +- testing/hosts/default/usr/local/bin/init_collector | 2 + testing/hosts/venus/etc/default/isc-dhcp-server | 3 + .../apache2/conf-enabled/testresults-as-text.conf | 1 + .../etc/apache2/conf.d/testresults-as-text | 4 - .../etc/apache2/sites-enabled/001-ocsp_vhost.conf | 24 +- .../hosts/winnetou/etc/openssl/duck/openssl.cnf | 20 +- .../hosts/winnetou/etc/openssl/ecdsa/openssl.cnf | 22 +- .../hosts/winnetou/etc/openssl/monster/openssl.cnf | 20 +- testing/hosts/winnetou/etc/openssl/openssl.cnf | 22 +- .../winnetou/etc/openssl/research/openssl.cnf | 20 +- .../hosts/winnetou/etc/openssl/rfc3779/openssl.cnf | 24 +- .../hosts/winnetou/etc/openssl/sales/openssl.cnf | 22 +- testing/scripts/build-baseimage | 41 +- testing/scripts/build-guestimages | 7 +- testing/scripts/build-rootimage | 5 +- testing/scripts/recipes/001_libtnc.mk | 31 - testing/scripts/recipes/002_tnc-fhh.mk | 35 - testing/scripts/recipes/003_freeradius.mk | 43 - testing/scripts/recipes/004_hostapd.mk | 39 - testing/scripts/recipes/004_wpa_supplicant.mk | 39 - testing/scripts/recipes/005_anet.mk | 9 +- testing/scripts/recipes/006_tkm-rpc.mk | 9 +- testing/scripts/recipes/007_x509-ada.mk | 9 +- testing/scripts/recipes/008_xfrm-ada.mk | 9 +- testing/scripts/recipes/009_xfrm-proxy.mk | 9 +- testing/scripts/recipes/010_tkm.mk | 9 +- testing/scripts/recipes/011_botan.mk | 12 +- .../recipes/patches/freeradius-eap-sim-identity | 30 - testing/scripts/recipes/patches/freeradius-tnc-fhh | 6687 -------------------- testing/scripts/recipes/patches/hostapd-config | 38 - testing/scripts/recipes/patches/tnc-fhh-tncsim | 12 - .../scripts/recipes/patches/wpa_supplicant-eap-tnc | 47 - testing/testing.conf | 16 +- .../tests/botan/net2net-ed25519/description.txt | 10 + testing/tests/botan/net2net-ed25519/evaltest.dat | 7 + .../net2net-ed25519/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/pkcs8/moonKey.pem | 3 + .../hosts/moon/etc/swanctl/swanctl.conf | 33 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 13 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 11 + .../net2net-ed25519/hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/pkcs8/sunKey.pem | 3 + .../hosts/sun/etc/swanctl/swanctl.conf | 33 + .../hosts/sun/etc/swanctl/x509/sunCert.pem | 13 + .../sun/etc/swanctl/x509ca/strongswanCert.pem | 11 + testing/tests/botan/net2net-ed25519/posttest.dat | 7 + testing/tests/botan/net2net-ed25519/pretest.dat | 9 + testing/tests/botan/net2net-ed25519/test.conf | 25 + testing/tests/botan/net2net-pkcs12/description.txt | 8 + testing/tests/botan/net2net-pkcs12/evaltest.dat | 5 + .../net2net-pkcs12/hosts/moon/etc/strongswan.conf | 6 + .../hosts/moon/etc/swanctl/pkcs12/moonCert.p12 | Bin 0 -> 3661 bytes .../hosts/moon/etc/swanctl/swanctl.conf | 36 + .../net2net-pkcs12/hosts/sun/etc/strongswan.conf | 6 + .../hosts/sun/etc/swanctl/pkcs12/sunCert.p12 | Bin 0 -> 3661 bytes .../hosts/sun/etc/swanctl/swanctl.conf | 36 + testing/tests/botan/net2net-pkcs12/posttest.dat | 6 + testing/tests/botan/net2net-pkcs12/pretest.dat | 9 + testing/tests/botan/net2net-pkcs12/test.conf | 25 + .../botan/net2net-sha3-rsa-cert/description.txt | 8 + .../tests/botan/net2net-sha3-rsa-cert/evaltest.dat | 5 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 39 + .../hosts/moon/etc/swanctl/swanctl.conf | 33 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 28 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/rsa/sunKey.pem | 39 + .../hosts/sun/etc/swanctl/swanctl.conf | 33 + .../hosts/sun/etc/swanctl/x509/sunCert.pem | 28 + .../sun/etc/swanctl/x509ca/strongswanCert.pem | 26 + .../tests/botan/net2net-sha3-rsa-cert/posttest.dat | 5 + .../tests/botan/net2net-sha3-rsa-cert/pretest.dat | 7 + .../tests/botan/net2net-sha3-rsa-cert/test.conf | 25 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 56 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../ikev1/xauth-rsa-eap-md5-radius/posttest.dat | 2 +- .../ikev1/xauth-rsa-eap-md5-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 0 .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 53 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + testing/tests/ikev1/xauth-rsa-radius/posttest.dat | 2 +- testing/tests/ikev1/xauth-rsa-radius/pretest.dat | 2 +- .../ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf | 9 - .../hosts/moon/etc/dhcpd.conf | 9 - .../dhcp-static-mac/hosts/moon/etc/dhcpd.conf | 9 - testing/tests/ikev2/host2host-cert/description.txt | 6 +- .../tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat | 2 +- testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 14 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + .../ikev2/mult-auth-rsa-eap-sim-id/posttest.dat | 2 +- .../ikev2/mult-auth-rsa-eap-sim-id/pretest.dat | 6 +- testing/tests/ikev2/nat-rw-psk/description.txt | 3 +- testing/tests/ikev2/nat-rw/description.txt | 2 + testing/tests/ikev2/net2net-psk/description.txt | 5 +- .../tests/ikev2/rw-eap-aka-id-rsa/description.txt | 14 +- testing/tests/ikev2/rw-eap-aka-rsa/description.txt | 13 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 4 + .../ikev2/rw-eap-framed-ip-radius/posttest.dat | 2 +- .../ikev2/rw-eap-framed-ip-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 4 + .../ikev2/rw-eap-md5-class-radius/posttest.dat | 2 +- .../ikev2/rw-eap-md5-class-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../tests/ikev2/rw-eap-md5-id-radius/posttest.dat | 2 +- .../tests/ikev2/rw-eap-md5-id-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + testing/tests/ikev2/rw-eap-md5-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-md5-radius/pretest.dat | 2 +- testing/tests/ikev2/rw-eap-md5-rsa/description.txt | 12 +- .../ikev2/rw-eap-mschapv2-id-rsa/description.txt | 16 +- .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../tests/ikev2/rw-eap-peap-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-peap-radius/pretest.dat | 2 +- .../ikev2/rw-eap-sim-id-radius/description.txt | 16 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 3 - .../hosts/alice/etc/freeradius/users | 1 + .../tests/ikev2/rw-eap-sim-id-radius/posttest.dat | 2 +- .../tests/ikev2/rw-eap-sim-id-radius/pretest.dat | 3 +- .../ikev2/rw-eap-sim-only-radius/description.txt | 23 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + .../ikev2/rw-eap-sim-only-radius/posttest.dat | 2 +- .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat | 3 +- .../tests/ikev2/rw-eap-sim-radius/description.txt | 25 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + testing/tests/ikev2/rw-eap-sim-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-sim-radius/pretest.dat | 6 +- testing/tests/ikev2/rw-eap-sim-rsa/description.txt | 13 +- .../alice/etc/freeradius/3.0/mods-available/eap | 16 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 55 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 0 .../hosts/carol/etc/strongswan.conf | 4 - testing/tests/ikev2/rw-eap-tls-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-tls-radius/pretest.dat | 2 +- .../rw-eap-ttls-phase2-piggyback/description.txt | 10 - .../rw-eap-ttls-phase2-piggyback/evaltest.dat | 19 - .../hosts/carol/etc/ipsec.conf | 20 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 11 - .../hosts/dave/etc/ipsec.conf | 20 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 11 - .../hosts/moon/etc/ipsec.conf | 19 - .../hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 18 - .../rw-eap-ttls-phase2-piggyback/posttest.dat | 6 - .../ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat | 11 - .../ikev2/rw-eap-ttls-phase2-piggyback/test.conf | 21 - .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../tests/ikev2/rw-eap-ttls-radius/posttest.dat | 2 +- testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat | 2 +- .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 64 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../tests/ikev2/rw-radius-accounting/posttest.dat | 2 +- .../tests/ikev2/rw-radius-accounting/pretest.dat | 2 +- .../tests/ipv6-stroke/host2host-ikev1/evaltest.dat | 2 +- .../tests/ipv6-stroke/host2host-ikev2/evaltest.dat | 2 +- .../tests/ipv6-stroke/net2net-ikev1/evaltest.dat | 2 +- .../tests/ipv6-stroke/net2net-ikev2/evaltest.dat | 2 +- .../net2net-ip6-in-ip4-ikev1/evaltest.dat | 2 +- .../net2net-ip6-in-ip4-ikev2/evaltest.dat | 2 +- testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat | 4 +- testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat | 4 +- .../ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat | 4 +- .../ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat | 4 +- .../tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat | 4 +- .../tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat | 4 +- .../tests/ipv6-stroke/transport-ikev1/evaltest.dat | 2 +- .../tests/ipv6-stroke/transport-ikev2/evaltest.dat | 2 +- testing/tests/ipv6/host2host-ikev1/evaltest.dat | 2 +- testing/tests/ipv6/host2host-ikev2/evaltest.dat | 2 +- testing/tests/ipv6/net2net-ikev1/evaltest.dat | 2 +- testing/tests/ipv6/net2net-ikev2/evaltest.dat | 2 +- .../ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat | 2 +- .../ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat | 2 +- .../tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat | 2 +- testing/tests/ipv6/rw-ikev1/evaltest.dat | 4 +- testing/tests/ipv6/rw-ikev2/evaltest.dat | 4 +- .../tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat | 4 +- .../tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat | 4 +- testing/tests/ipv6/rw-psk-ikev1/evaltest.dat | 4 +- testing/tests/ipv6/rw-psk-ikev2/evaltest.dat | 4 +- testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat | 4 +- testing/tests/ipv6/transport-ikev1/evaltest.dat | 2 +- testing/tests/ipv6/transport-ikev2/evaltest.dat | 2 +- .../tests/libipsec/net2net-cert-ipv6/evaltest.dat | 2 +- .../openssl-ikev1/alg-camellia/description.txt | 7 +- .../tests/openssl-ikev1/alg-camellia/evaltest.dat | 8 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 22 - .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-camellia/hosts/moon/etc/ipsec.conf | 21 - .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev1/alg-camellia/posttest.dat | 5 +- .../tests/openssl-ikev1/alg-camellia/pretest.dat | 8 +- testing/tests/openssl-ikev1/alg-camellia/test.conf | 4 + .../openssl-ikev1/alg-ecp-high/description.txt | 8 +- .../tests/openssl-ikev1/alg-ecp-high/evaltest.dat | 14 +- .../alg-ecp-high/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-high/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev1/alg-ecp-high/posttest.dat | 6 +- .../tests/openssl-ikev1/alg-ecp-high/pretest.dat | 10 +- testing/tests/openssl-ikev1/alg-ecp-high/test.conf | 4 + .../openssl-ikev1/alg-ecp-low/description.txt | 10 +- .../tests/openssl-ikev1/alg-ecp-low/evaltest.dat | 15 +- .../alg-ecp-low/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-low/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev1/alg-ecp-low/posttest.dat | 6 +- .../tests/openssl-ikev1/alg-ecp-low/pretest.dat | 10 +- testing/tests/openssl-ikev1/alg-ecp-low/test.conf | 4 + .../openssl-ikev1/ecdsa-certs/description.txt | 7 +- .../tests/openssl-ikev1/ecdsa-certs/evaltest.dat | 12 +- .../ecdsa-certs/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../ecdsa-certs/hosts/carol/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/ecdsa/carolKey.pem | 8 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/carol/etc/swanctl/x509/carolCert.pem | 18 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/dave/etc/ipsec.conf | 22 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 6 - .../ecdsa-certs/hosts/dave/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/ecdsa/daveKey.pem | 6 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/swanctl/x509/daveCert.pem | 19 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../ecdsa-certs/hosts/moon/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/ecdsa/moonKey.pem | 7 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 20 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../tests/openssl-ikev1/ecdsa-certs/posttest.dat | 11 +- .../tests/openssl-ikev1/ecdsa-certs/pretest.dat | 13 +- testing/tests/openssl-ikev1/ecdsa-certs/test.conf | 4 + .../openssl-ikev2/alg-aes-gcm/description.txt | 16 - .../tests/openssl-ikev2/alg-aes-gcm/evaltest.dat | 26 - .../alg-aes-gcm/hosts/carol/etc/ipsec.conf | 22 - .../alg-aes-gcm/hosts/carol/etc/strongswan.conf | 5 - .../alg-aes-gcm/hosts/dave/etc/ipsec.conf | 22 - .../alg-aes-gcm/hosts/dave/etc/strongswan.conf | 5 - .../alg-aes-gcm/hosts/moon/etc/ipsec.conf | 21 - .../alg-aes-gcm/hosts/moon/etc/strongswan.conf | 5 - .../tests/openssl-ikev2/alg-aes-gcm/posttest.dat | 6 - .../tests/openssl-ikev2/alg-aes-gcm/pretest.dat | 11 - testing/tests/openssl-ikev2/alg-aes-gcm/test.conf | 21 - .../openssl-ikev2/alg-blowfish/description.txt | 11 - .../tests/openssl-ikev2/alg-blowfish/evaltest.dat | 17 - .../alg-blowfish/hosts/carol/etc/ipsec.conf | 22 - .../alg-blowfish/hosts/carol/etc/strongswan.conf | 5 - .../alg-blowfish/hosts/dave/etc/ipsec.conf | 22 - .../alg-blowfish/hosts/dave/etc/strongswan.conf | 5 - .../alg-blowfish/hosts/moon/etc/ipsec.conf | 21 - .../alg-blowfish/hosts/moon/etc/strongswan.conf | 5 - .../tests/openssl-ikev2/alg-blowfish/posttest.dat | 6 - .../tests/openssl-ikev2/alg-blowfish/pretest.dat | 11 - testing/tests/openssl-ikev2/alg-blowfish/test.conf | 21 - .../openssl-ikev2/alg-camellia/description.txt | 7 +- .../tests/openssl-ikev2/alg-camellia/evaltest.dat | 8 +- .../alg-camellia/hosts/carol/etc/ipsec.conf | 22 - .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-camellia/hosts/moon/etc/ipsec.conf | 21 - .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev2/alg-camellia/posttest.dat | 5 +- .../tests/openssl-ikev2/alg-camellia/pretest.dat | 8 +- testing/tests/openssl-ikev2/alg-camellia/test.conf | 4 + .../alg-ecp-brainpool-high/description.txt | 8 +- .../alg-ecp-brainpool-high/evaltest.dat | 15 +- .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../alg-ecp-brainpool-high/posttest.dat | 6 +- .../alg-ecp-brainpool-high/pretest.dat | 10 +- .../openssl-ikev2/alg-ecp-brainpool-high/test.conf | 4 + .../alg-ecp-brainpool-low/description.txt | 13 +- .../alg-ecp-brainpool-low/evaltest.dat | 15 +- .../hosts/carol/etc/ipsec.conf | 21 - .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/ipsec.conf | 21 - .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/ipsec.conf | 20 - .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../alg-ecp-brainpool-low/posttest.dat | 6 +- .../alg-ecp-brainpool-low/pretest.dat | 10 +- .../openssl-ikev2/alg-ecp-brainpool-low/test.conf | 4 + .../openssl-ikev2/alg-ecp-high/description.txt | 8 +- .../tests/openssl-ikev2/alg-ecp-high/evaltest.dat | 14 +- .../alg-ecp-high/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-high/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-high/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-high/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev2/alg-ecp-high/posttest.dat | 6 +- .../tests/openssl-ikev2/alg-ecp-high/pretest.dat | 10 +- testing/tests/openssl-ikev2/alg-ecp-high/test.conf | 4 + .../openssl-ikev2/alg-ecp-low/description.txt | 10 +- .../tests/openssl-ikev2/alg-ecp-low/evaltest.dat | 15 +- .../alg-ecp-low/hosts/carol/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/dave/etc/ipsec.conf | 21 - .../alg-ecp-low/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../alg-ecp-low/hosts/moon/etc/ipsec.conf | 20 - .../alg-ecp-low/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../tests/openssl-ikev2/alg-ecp-low/posttest.dat | 6 +- .../tests/openssl-ikev2/alg-ecp-low/pretest.dat | 10 +- testing/tests/openssl-ikev2/alg-ecp-low/test.conf | 4 + .../critical-extension/description.txt | 2 +- .../openssl-ikev2/critical-extension/evaltest.dat | 2 - .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 952 -> 0 bytes .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 - .../hosts/moon/etc/strongswan.conf | 4 +- .../hosts/moon/etc/swanctl/rsa/moonKey.pem | 27 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/swanctl/x509/moonCert.der | Bin 0 -> 952 bytes .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 951 -> 0 bytes .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 27 - .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/rsa/sunKey.pem | 27 + .../hosts/sun/etc/swanctl/swanctl.conf | 26 + .../hosts/sun/etc/swanctl/x509/sunCert.der | Bin 0 -> 951 bytes .../openssl-ikev2/critical-extension/posttest.dat | 9 +- .../openssl-ikev2/critical-extension/pretest.dat | 14 +- .../openssl-ikev2/critical-extension/test.conf | 6 +- .../openssl-ikev2/ecdsa-certs/description.txt | 7 +- .../tests/openssl-ikev2/ecdsa-certs/evaltest.dat | 16 +- .../ecdsa-certs/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../ecdsa-certs/hosts/carol/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/ecdsa/carolKey.pem | 8 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/carol/etc/swanctl/x509/carolCert.pem | 18 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/dave/etc/ipsec.conf | 22 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 6 - .../ecdsa-certs/hosts/dave/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 3 +- .../hosts/dave/etc/swanctl/ecdsa/daveKey.pem | 6 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../hosts/dave/etc/swanctl/x509/daveCert.pem | 19 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-certs/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../ecdsa-certs/hosts/moon/etc/ipsec.secrets | 3 - .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/ecdsa/moonKey.pem | 7 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 20 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../tests/openssl-ikev2/ecdsa-certs/posttest.dat | 11 +- .../tests/openssl-ikev2/ecdsa-certs/pretest.dat | 13 +- testing/tests/openssl-ikev2/ecdsa-certs/test.conf | 4 + .../tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat | 8 +- .../ecdsa-pkcs8/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 7 - .../ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets | 3 - .../ecdsa-pkcs8/hosts/carol/etc/strongswan.conf | 2 +- .../hosts/carol/etc/swanctl/pkcs8/carolKey.pem | 7 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/carol/etc/swanctl/x509/carolCert.pem | 18 + .../carol/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-pkcs8/hosts/dave/etc/ipsec.conf | 22 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 8 - .../ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets | 3 - .../ecdsa-pkcs8/hosts/dave/etc/strongswan.conf | 2 +- .../hosts/dave/etc/swanctl/pkcs8/daveKey.pem | 8 + .../hosts/dave/etc/swanctl/swanctl.conf | 36 + .../hosts/dave/etc/swanctl/x509/daveCert.pem | 19 + .../dave/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../ecdsa-pkcs8/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets | 3 - .../ecdsa-pkcs8/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/ecdsa/moonKey.pem | 7 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + .../hosts/moon/etc/swanctl/x509/moonCert.pem | 20 + .../moon/etc/swanctl/x509ca/strongswanCert.pem | 15 + .../tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat | 11 +- .../tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat | 13 +- testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf | 4 + .../openssl-ikev2/net2net-pgp-v3/description.txt | 6 - .../openssl-ikev2/net2net-pgp-v3/evaltest.dat | 7 - .../net2net-pgp-v3/hosts/moon/etc/ipsec.conf | 24 - .../hosts/moon/etc/ipsec.d/certs/moonCert.asc | 15 - .../hosts/moon/etc/ipsec.d/certs/sunCert.asc | 15 - .../hosts/moon/etc/ipsec.d/private/moonKey.asc | 19 - .../net2net-pgp-v3/hosts/moon/etc/ipsec.secrets | 3 - .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf | 6 - .../net2net-pgp-v3/hosts/sun/etc/ipsec.conf | 24 - .../hosts/sun/etc/ipsec.d/certs/moonCert.asc | 15 - .../hosts/sun/etc/ipsec.d/certs/sunCert.asc | 15 - .../hosts/sun/etc/ipsec.d/private/sunKey.asc | 19 - .../net2net-pgp-v3/hosts/sun/etc/ipsec.secrets | 3 - .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf | 6 - .../openssl-ikev2/net2net-pgp-v3/posttest.dat | 8 - .../tests/openssl-ikev2/net2net-pgp-v3/pretest.dat | 9 - .../tests/openssl-ikev2/net2net-pgp-v3/test.conf | 21 - .../openssl-ikev2/net2net-pkcs12/description.txt | 4 +- .../openssl-ikev2/net2net-pkcs12/evaltest.dat | 6 +- .../net2net-pkcs12/hosts/moon/etc/ipsec.conf | 23 - .../hosts/moon/etc/ipsec.d/private/moonCert.p12 | Bin 3661 -> 0 bytes .../net2net-pkcs12/hosts/moon/etc/ipsec.secrets | 3 - .../net2net-pkcs12/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/swanctl/pkcs12/moonCert.p12 | Bin 0 -> 3661 bytes .../hosts/moon/etc/swanctl/swanctl.conf | 36 + .../net2net-pkcs12/hosts/sun/etc/ipsec.conf | 23 - .../hosts/sun/etc/ipsec.d/private/sunCert.p12 | Bin 3661 -> 0 bytes .../net2net-pkcs12/hosts/sun/etc/ipsec.secrets | 8 - .../net2net-pkcs12/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/sun/etc/swanctl/pkcs12/sunCert.p12 | Bin 0 -> 3661 bytes .../hosts/sun/etc/swanctl/swanctl.conf | 36 + .../openssl-ikev2/net2net-pkcs12/posttest.dat | 8 +- .../tests/openssl-ikev2/net2net-pkcs12/pretest.dat | 16 +- .../tests/openssl-ikev2/net2net-pkcs12/test.conf | 6 +- .../tests/openssl-ikev2/rw-cert/description.txt | 9 +- testing/tests/openssl-ikev2/rw-cert/evaltest.dat | 13 +- .../rw-cert/hosts/carol/etc/ipsec.conf | 21 - .../rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 27 + .../rw-cert/hosts/dave/etc/ipsec.conf | 21 - .../rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 27 + .../rw-cert/hosts/moon/etc/ipsec.conf | 20 - .../rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/openssl-ikev2/rw-cert/posttest.dat | 8 +- testing/tests/openssl-ikev2/rw-cert/pretest.dat | 13 +- testing/tests/openssl-ikev2/rw-cert/test.conf | 4 + .../openssl-ikev2/rw-eap-tls-only/description.txt | 5 - .../openssl-ikev2/rw-eap-tls-only/evaltest.dat | 10 - .../rw-eap-tls-only/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../rw-eap-tls-only/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 11 - .../rw-eap-tls-only/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 - .../rw-eap-tls-only/hosts/moon/etc/ipsec.secrets | 3 - .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 15 - .../openssl-ikev2/rw-eap-tls-only/posttest.dat | 4 - .../openssl-ikev2/rw-eap-tls-only/pretest.dat | 7 - .../tests/openssl-ikev2/rw-eap-tls-only/test.conf | 21 - .../openssl-ikev2/rw-suite-b-128/description.txt | 12 - .../openssl-ikev2/rw-suite-b-128/evaltest.dat | 11 - .../rw-suite-b-128/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 7 - .../rw-suite-b-128/hosts/carol/etc/ipsec.secrets | 3 - .../rw-suite-b-128/hosts/carol/etc/iptables.flush | 21 - .../rw-suite-b-128/hosts/carol/etc/iptables.rules | 32 - .../rw-suite-b-128/hosts/carol/etc/strongswan.conf | 19 - .../rw-suite-b-128/hosts/dave/etc/ipsec.conf | 21 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 18 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 5 - .../rw-suite-b-128/hosts/dave/etc/ipsec.secrets | 3 - .../rw-suite-b-128/hosts/dave/etc/iptables.flush | 21 - .../rw-suite-b-128/hosts/dave/etc/iptables.rules | 32 - .../rw-suite-b-128/hosts/dave/etc/strongswan.conf | 19 - .../rw-suite-b-128/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 18 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 5 - .../rw-suite-b-128/hosts/moon/etc/ipsec.secrets | 3 - .../rw-suite-b-128/hosts/moon/etc/iptables.flush | 21 - .../rw-suite-b-128/hosts/moon/etc/iptables.rules | 32 - .../rw-suite-b-128/hosts/moon/etc/strongswan.conf | 18 - .../openssl-ikev2/rw-suite-b-128/posttest.dat | 6 - .../tests/openssl-ikev2/rw-suite-b-128/pretest.dat | 11 - .../tests/openssl-ikev2/rw-suite-b-128/test.conf | 21 - .../openssl-ikev2/rw-suite-b-192/description.txt | 12 - .../openssl-ikev2/rw-suite-b-192/evaltest.dat | 11 - .../rw-suite-b-192/hosts/carol/etc/ipsec.conf | 22 - .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 19 - .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 - .../rw-suite-b-192/hosts/carol/etc/ipsec.secrets | 3 - .../rw-suite-b-192/hosts/carol/etc/iptables.flush | 21 - .../rw-suite-b-192/hosts/carol/etc/iptables.rules | 32 - .../rw-suite-b-192/hosts/carol/etc/strongswan.conf | 19 - .../rw-suite-b-192/hosts/dave/etc/ipsec.conf | 21 - .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 - .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 6 - .../rw-suite-b-192/hosts/dave/etc/ipsec.secrets | 3 - .../rw-suite-b-192/hosts/dave/etc/iptables.flush | 21 - .../rw-suite-b-192/hosts/dave/etc/iptables.rules | 32 - .../rw-suite-b-192/hosts/dave/etc/strongswan.conf | 19 - .../rw-suite-b-192/hosts/moon/etc/ipsec.conf | 21 - .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 15 - .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 19 - .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 6 - .../rw-suite-b-192/hosts/moon/etc/ipsec.secrets | 3 - .../rw-suite-b-192/hosts/moon/etc/iptables.flush | 21 - .../rw-suite-b-192/hosts/moon/etc/iptables.rules | 32 - .../rw-suite-b-192/hosts/moon/etc/strongswan.conf | 18 - .../openssl-ikev2/rw-suite-b-192/posttest.dat | 6 - .../tests/openssl-ikev2/rw-suite-b-192/pretest.dat | 11 - .../tests/openssl-ikev2/rw-suite-b-192/test.conf | 21 - .../rw-shared-vti-ip6-in-ip4/evaltest.dat | 4 +- testing/tests/sql/rw-psk-ipv6/evaltest.dat | 4 +- testing/tests/swanctl/config-payload/evaltest.dat | 8 +- .../swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf | 9 - testing/tests/swanctl/frags-ipv6/evaltest.dat | 4 +- .../tests/swanctl/host2host-cert/description.txt | 6 + testing/tests/swanctl/host2host-cert/evaltest.dat | 6 + .../host2host-cert/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 30 + .../host2host-cert/hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/swanctl.conf | 30 + testing/tests/swanctl/host2host-cert/posttest.dat | 5 + testing/tests/swanctl/host2host-cert/pretest.dat | 7 + testing/tests/swanctl/host2host-cert/test.conf | 25 + .../swanctl/host2host-transport/description.txt | 6 + .../tests/swanctl/host2host-transport/evaltest.dat | 6 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 31 + .../hosts/sun/etc/strongswan.conf | 9 + .../hosts/sun/etc/swanctl/swanctl.conf | 31 + .../tests/swanctl/host2host-transport/posttest.dat | 5 + .../tests/swanctl/host2host-transport/pretest.dat | 7 + .../tests/swanctl/host2host-transport/test.conf | 25 + testing/tests/swanctl/ip-pool-db/evaltest.dat | 8 +- testing/tests/swanctl/ip-pool/evaltest.dat | 8 +- .../tests/swanctl/ip-two-pools-db/description.txt | 14 + testing/tests/swanctl/ip-two-pools-db/evaltest.dat | 35 + .../hosts/alice/etc/strongswan.conf | 9 + .../hosts/alice/etc/swanctl/swanctl.conf | 27 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../ip-two-pools-db/hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 27 + .../ip-two-pools-db/hosts/moon/etc/iptables.rules | 43 + .../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 48 + .../hosts/venus/etc/strongswan.conf | 9 + .../hosts/venus/etc/swanctl/swanctl.conf | 27 + testing/tests/swanctl/ip-two-pools-db/posttest.dat | 18 + testing/tests/swanctl/ip-two-pools-db/pretest.dat | 30 + testing/tests/swanctl/ip-two-pools-db/test.conf | 29 + testing/tests/swanctl/ip-two-pools/description.txt | 9 + testing/tests/swanctl/ip-two-pools/evaltest.dat | 18 + .../ip-two-pools/hosts/alice/etc/strongswan.conf | 9 + .../hosts/alice/etc/swanctl/swanctl.conf | 26 + .../ip-two-pools/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../ip-two-pools/hosts/moon/etc/iptables.rules | 43 + .../ip-two-pools/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 55 + testing/tests/swanctl/ip-two-pools/posttest.dat | 8 + testing/tests/swanctl/ip-two-pools/pretest.dat | 11 + testing/tests/swanctl/ip-two-pools/test.conf | 25 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/modules/sim_files | 3 - .../alice/etc/freeradius/sites-available/default | 13 +- .../hosts/alice/etc/freeradius/triplets.dat | 6 - .../hosts/alice/etc/freeradius/users | 2 + .../swanctl/mult-auth-rsa-eap-sim-id/posttest.dat | 2 +- .../swanctl/mult-auth-rsa-eap-sim-id/pretest.dat | 6 +- testing/tests/swanctl/nat-rw-psk/description.txt | 8 + testing/tests/swanctl/nat-rw-psk/evaltest.dat | 14 + .../nat-rw-psk/hosts/alice/etc/strongswan.conf | 7 + .../hosts/alice/etc/swanctl/swanctl.conf | 33 + .../nat-rw-psk/hosts/sun/etc/iptables.rules | 24 + .../nat-rw-psk/hosts/sun/etc/strongswan.conf | 5 + .../nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf | 36 + .../nat-rw-psk/hosts/venus/etc/strongswan.conf | 7 + .../hosts/venus/etc/swanctl/swanctl.conf | 34 + testing/tests/swanctl/nat-rw-psk/posttest.dat | 7 + testing/tests/swanctl/nat-rw-psk/pretest.dat | 16 + testing/tests/swanctl/nat-rw-psk/test.conf | 25 + testing/tests/swanctl/nat-rw/description.txt | 8 + testing/tests/swanctl/nat-rw/evaltest.dat | 14 + .../swanctl/nat-rw/hosts/alice/etc/strongswan.conf | 7 + .../nat-rw/hosts/alice/etc/swanctl/swanctl.conf | 27 + .../swanctl/nat-rw/hosts/sun/etc/iptables.rules | 24 + .../swanctl/nat-rw/hosts/sun/etc/strongswan.conf | 5 + .../nat-rw/hosts/sun/etc/swanctl/swanctl.conf | 26 + .../swanctl/nat-rw/hosts/venus/etc/strongswan.conf | 7 + .../nat-rw/hosts/venus/etc/swanctl/swanctl.conf | 27 + testing/tests/swanctl/nat-rw/posttest.dat | 7 + testing/tests/swanctl/nat-rw/pretest.dat | 13 + testing/tests/swanctl/nat-rw/test.conf | 25 + testing/tests/swanctl/net2net-psk/description.txt | 7 + testing/tests/swanctl/net2net-psk/evaltest.dat | 5 + .../net2net-psk/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 55 + .../net2net-psk/hosts/sun/etc/strongswan.conf | 9 + .../net2net-psk/hosts/sun/etc/swanctl/swanctl.conf | 40 + testing/tests/swanctl/net2net-psk/posttest.dat | 5 + testing/tests/swanctl/net2net-psk/pretest.dat | 9 + testing/tests/swanctl/net2net-psk/test.conf | 25 + testing/tests/swanctl/rw-cert-pss/evaltest.dat | 8 +- testing/tests/swanctl/rw-cert/description.txt | 3 +- .../swanctl/rw-eap-aka-id-rsa/description.txt | 11 + .../tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat | 10 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 35 + .../tests/swanctl/rw-eap-aka-id-rsa/posttest.dat | 5 + .../tests/swanctl/rw-eap-aka-id-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf | 25 + .../tests/swanctl/rw-eap-aka-rsa/description.txt | 8 + testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat | 9 + .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 34 + testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat | 5 + testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-aka-rsa/test.conf | 25 + .../swanctl/rw-eap-md5-id-radius/description.txt | 10 + .../swanctl/rw-eap-md5-id-radius/evaltest.dat | 10 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 28 + .../swanctl/rw-eap-md5-id-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-md5-id-radius/pretest.dat | 9 + .../tests/swanctl/rw-eap-md5-id-radius/test.conf | 29 + .../swanctl/rw-eap-md5-radius/description.txt | 7 + .../tests/swanctl/rw-eap-md5-radius/evaltest.dat | 9 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../tests/swanctl/rw-eap-md5-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-md5-radius/pretest.dat | 9 + testing/tests/swanctl/rw-eap-md5-radius/test.conf | 29 + .../tests/swanctl/rw-eap-md5-rsa/description.txt | 7 + testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat | 10 + .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 39 + testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat | 5 + testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-md5-rsa/test.conf | 25 + .../swanctl/rw-eap-mschapv2-id-rsa/description.txt | 10 + .../swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat | 11 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 34 + .../hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 40 + .../swanctl/rw-eap-mschapv2-id-rsa/posttest.dat | 5 + .../swanctl/rw-eap-mschapv2-id-rsa/pretest.dat | 8 + .../tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf | 25 + .../tests/swanctl/rw-eap-peap-md5/description.txt | 10 + testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat | 17 + .../hosts/carol/etc/strongswan.conf | 20 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../rw-eap-peap-md5/hosts/dave/etc/strongswan.conf | 20 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../rw-eap-peap-md5/hosts/moon/etc/strongswan.conf | 22 + .../hosts/moon/etc/swanctl/swanctl.conf | 37 + testing/tests/swanctl/rw-eap-peap-md5/posttest.dat | 6 + testing/tests/swanctl/rw-eap-peap-md5/pretest.dat | 13 + testing/tests/swanctl/rw-eap-peap-md5/test.conf | 25 + .../swanctl/rw-eap-peap-mschapv2/description.txt | 8 + .../swanctl/rw-eap-peap-mschapv2/evaltest.dat | 17 + .../hosts/carol/etc/strongswan.conf | 20 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 20 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/strongswan.conf | 21 + .../hosts/moon/etc/swanctl/swanctl.conf | 37 + .../swanctl/rw-eap-peap-mschapv2/posttest.dat | 6 + .../tests/swanctl/rw-eap-peap-mschapv2/pretest.dat | 13 + .../tests/swanctl/rw-eap-peap-mschapv2/test.conf | 25 + .../swanctl/rw-eap-peap-radius/description.txt | 9 + .../tests/swanctl/rw-eap-peap-radius/evaltest.dat | 17 + .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 18 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../etc/freeradius/sites-available/inner-tunnel | 32 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../tests/swanctl/rw-eap-peap-radius/posttest.dat | 7 + .../tests/swanctl/rw-eap-peap-radius/pretest.dat | 14 + testing/tests/swanctl/rw-eap-peap-radius/test.conf | 29 + .../swanctl/rw-eap-sim-id-radius/description.txt | 13 + .../swanctl/rw-eap-sim-id-radius/evaltest.dat | 10 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 58 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 1 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 53 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../swanctl/rw-eap-sim-id-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-sim-id-radius/pretest.dat | 10 + .../tests/swanctl/rw-eap-sim-id-radius/test.conf | 29 + .../swanctl/rw-eap-sim-only-radius/description.txt | 15 + .../swanctl/rw-eap-sim-only-radius/evaltest.dat | 13 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 72 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../hosts/dave/etc/ipsec.d/triplets.dat | 3 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../swanctl/rw-eap-sim-only-radius/posttest.dat | 7 + .../swanctl/rw-eap-sim-only-radius/pretest.dat | 16 + .../tests/swanctl/rw-eap-sim-only-radius/test.conf | 29 + .../swanctl/rw-eap-sim-radius/description.txt | 15 + .../tests/swanctl/rw-eap-sim-radius/evaltest.dat | 13 + .../alice/etc/freeradius/3.0/mods-available/eap | 5 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 5 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 72 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../hosts/dave/etc/ipsec.d/triplets.dat | 3 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../tests/swanctl/rw-eap-sim-radius/posttest.dat | 7 + .../tests/swanctl/rw-eap-sim-radius/pretest.dat | 16 + testing/tests/swanctl/rw-eap-sim-radius/test.conf | 29 + .../tests/swanctl/rw-eap-sim-rsa/description.txt | 8 + testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat | 9 + .../hosts/carol/etc/ipsec.d/triplets.dat | 3 + .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 26 + .../hosts/moon/etc/ipsec.d/triplets.dat | 3 + .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf | 9 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat | 5 + testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat | 8 + testing/tests/swanctl/rw-eap-sim-rsa/test.conf | 25 + .../tests/swanctl/rw-eap-tls-only/description.txt | 4 + testing/tests/swanctl/rw-eap-tls-only/evaltest.dat | 10 + .../hosts/carol/etc/strongswan.conf | 16 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 20 + .../hosts/moon/etc/swanctl/swanctl.conf | 25 + testing/tests/swanctl/rw-eap-tls-only/posttest.dat | 5 + testing/tests/swanctl/rw-eap-tls-only/pretest.dat | 7 + testing/tests/swanctl/rw-eap-tls-only/test.conf | 25 + .../swanctl/rw-eap-tls-radius/description.txt | 7 + .../tests/swanctl/rw-eap-tls-radius/evaltest.dat | 9 + .../alice/etc/freeradius/3.0/mods-available/eap | 16 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 0 .../etc/freeradius/3.0/sites-available/default | 55 + .../freeradius/3.0/sites-available/inner-tunnel | 0 .../hosts/alice/etc/freeradius/3.0/users | 0 .../hosts/alice/etc/freeradius/eap.conf | 13 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 41 + .../hosts/alice/etc/freeradius/users | 1 + .../hosts/carol/etc/strongswan.conf | 16 + .../hosts/carol/etc/swanctl/swanctl.conf | 27 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 26 + .../tests/swanctl/rw-eap-tls-radius/posttest.dat | 5 + .../tests/swanctl/rw-eap-tls-radius/pretest.dat | 8 + testing/tests/swanctl/rw-eap-tls-radius/test.conf | 29 + .../tests/swanctl/rw-eap-ttls-only/description.txt | 11 + .../tests/swanctl/rw-eap-ttls-only/evaltest.dat | 17 + .../hosts/carol/etc/strongswan.conf | 20 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 20 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/strongswan.conf | 21 + .../hosts/moon/etc/swanctl/swanctl.conf | 37 + .../tests/swanctl/rw-eap-ttls-only/posttest.dat | 6 + testing/tests/swanctl/rw-eap-ttls-only/pretest.dat | 13 + testing/tests/swanctl/rw-eap-ttls-only/test.conf | 25 + .../swanctl/rw-eap-ttls-radius/description.txt | 9 + .../tests/swanctl/rw-eap-ttls-radius/evaltest.dat | 17 + .../alice/etc/freeradius/3.0/mods-available/eap | 21 + .../hosts/alice/etc/freeradius/3.0/proxy.conf | 5 + .../etc/freeradius/3.0/sites-available/default | 59 + .../freeradius/3.0/sites-available/inner-tunnel | 38 + .../hosts/alice/etc/freeradius/3.0/users | 2 + .../hosts/alice/etc/freeradius/eap.conf | 18 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../etc/freeradius/sites-available/inner-tunnel | 32 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/carol/etc/strongswan.conf | 9 + .../hosts/carol/etc/swanctl/swanctl.conf | 35 + .../hosts/dave/etc/strongswan.conf | 9 + .../hosts/dave/etc/swanctl/swanctl.conf | 35 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/swanctl/swanctl.conf | 27 + .../tests/swanctl/rw-eap-ttls-radius/posttest.dat | 7 + .../tests/swanctl/rw-eap-ttls-radius/pretest.dat | 14 + testing/tests/swanctl/rw-eap-ttls-radius/test.conf | 29 + testing/tests/tnc/tnccs-11-fhh/description.txt | 13 - testing/tests/tnc/tnccs-11-fhh/evaltest.dat | 18 - .../tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon | 158 - .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf | 22 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file | 1 - .../hosts/carol/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config | 4 - .../tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon | 158 - .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf | 22 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file | 1 - .../hosts/dave/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config | 4 - .../tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon | 158 - .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf | 28 - .../hosts/moon/etc/swanctl/swanctl.conf | 64 - .../hosts/moon/etc/tnc/dummyimv.policy | 1 - .../hosts/moon/etc/tnc/hostscannerimv.policy | 40 - .../hosts/moon/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config | 4 - testing/tests/tnc/tnccs-11-fhh/posttest.dat | 6 - testing/tests/tnc/tnccs-11-fhh/pretest.dat | 20 - testing/tests/tnc/tnccs-11-fhh/test.conf | 28 - .../tnc/tnccs-11-radius-block/description.txt | 14 - .../tests/tnc/tnccs-11-radius-block/evaltest.dat | 15 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/strongswan.conf | 12 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 27 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../hosts/carol/etc/tnc_config | 4 - .../hosts/dave/etc/strongswan.conf | 30 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../hosts/dave/etc/tnc_config | 4 - .../hosts/moon/etc/iptables.rules | 32 - .../hosts/moon/etc/strongswan.conf | 15 - .../hosts/moon/etc/swanctl/swanctl.conf | 27 - .../tests/tnc/tnccs-11-radius-block/posttest.dat | 8 - .../tests/tnc/tnccs-11-radius-block/pretest.dat | 21 - testing/tests/tnc/tnccs-11-radius-block/test.conf | 29 - .../tests/tnc/tnccs-11-radius-pts/description.txt | 14 - testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 18 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/pts/data1.sql | 29 - .../hosts/alice/etc/strongswan.conf | 13 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../tnccs-11-radius-pts/hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 19 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-radius-pts/hosts/carol/etc/tnc_config | 4 - .../hosts/dave/etc/strongswan.conf | 20 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnccs-11-radius-pts/hosts/dave/etc/tnc_config | 4 - .../hosts/moon/etc/iptables.rules | 32 - .../hosts/moon/etc/strongswan.conf | 15 - .../hosts/moon/etc/swanctl/swanctl.conf | 53 - testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 9 - testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 28 - testing/tests/tnc/tnccs-11-radius-pts/test.conf | 33 - testing/tests/tnc/tnccs-11-radius/description.txt | 13 - testing/tests/tnc/tnccs-11-radius/evaltest.dat | 18 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/strongswan.conf | 12 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-11-radius/hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 30 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnc/tnccs-11-radius/hosts/carol/etc/tnc_config | 4 - .../tnccs-11-radius/hosts/dave/etc/strongswan.conf | 30 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnc/tnccs-11-radius/hosts/dave/etc/tnc_config | 4 - .../tnccs-11-radius/hosts/moon/etc/iptables.rules | 32 - .../tnccs-11-radius/hosts/moon/etc/strongswan.conf | 15 - .../hosts/moon/etc/swanctl/swanctl.conf | 53 - testing/tests/tnc/tnccs-11-radius/posttest.dat | 8 - testing/tests/tnc/tnccs-11-radius/pretest.dat | 22 - testing/tests/tnc/tnccs-11-radius/test.conf | 29 - .../tests/tnc/tnccs-11-supplicant/description.txt | 12 - testing/tests/tnc/tnccs-11-supplicant/evaltest.dat | 2 - .../hosts/alice/etc/freeradius/eap.conf | 25 - .../hosts/alice/etc/freeradius/proxy.conf | 5 - .../alice/etc/freeradius/sites-available/default | 43 - .../etc/freeradius/sites-available/inner-tunnel | 32 - .../freeradius/sites-available/inner-tunnel-second | 36 - .../hosts/alice/etc/freeradius/users | 2 - .../hosts/alice/etc/strongswan.conf | 12 - .../hosts/alice/etc/tnc/log4cxx.properties | 15 - .../tnccs-11-supplicant/hosts/alice/etc/tnc_config | 4 - .../hosts/carol/etc/strongswan.conf | 11 - .../hosts/carol/etc/swanctl/swanctl.conf | 1 - .../tnccs-11-supplicant/hosts/carol/etc/tnc_config | 4 - .../hosts/carol/etc/wpa_supplicant.conf | 10 - .../hosts/dave/etc/strongswan.conf | 11 - .../hosts/dave/etc/swanctl/swanctl.conf | 1 - .../tnccs-11-supplicant/hosts/dave/etc/tnc_config | 4 - .../hosts/dave/etc/wpa_supplicant.conf | 10 - .../hosts/moon/etc/hostapd/hostapd.conf | 1127 ---- testing/tests/tnc/tnccs-11-supplicant/posttest.dat | 5 - testing/tests/tnc/tnccs-11-supplicant/pretest.dat | 11 - testing/tests/tnc/tnccs-11-supplicant/test.conf | 29 - .../hosts/carol/etc/pts/collector.sql | 39 + testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat | 1 + testing/tests/tnc/tnccs-20-fhh/description.txt | 13 - testing/tests/tnc/tnccs-20-fhh/evaltest.dat | 18 - .../tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon | 158 - .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf | 18 - .../hosts/carol/etc/swanctl/swanctl.conf | 35 - .../tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file | 1 - .../hosts/carol/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config | 3 - .../tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon | 158 - .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf | 17 - .../hosts/dave/etc/swanctl/swanctl.conf | 35 - .../tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file | 1 - .../hosts/dave/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config | 3 - .../tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon | 158 - .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf | 21 - .../hosts/moon/etc/swanctl/swanctl.conf | 64 - .../hosts/moon/etc/tnc/dummyimv.policy | 1 - .../hosts/moon/etc/tnc/hostscannerimv.policy | 40 - .../hosts/moon/etc/tnc/log4cxx.properties | 15 - .../tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config | 3 - testing/tests/tnc/tnccs-20-fhh/posttest.dat | 6 - testing/tests/tnc/tnccs-20-fhh/pretest.dat | 20 - testing/tests/tnc/tnccs-20-fhh/test.conf | 29 - .../etc/apache2/sites-available/000-default.conf | 8 +- .../alice/etc/apache2/sites-available/default | 1 - .../etc/apache2/sites-available/000-default.conf | 8 +- .../alice/etc/apache2/sites-available/default | 1 - 1140 files changed, 12764 insertions(+), 15509 deletions(-) create mode 100644 testing/config/kernel/config-4.19 create mode 100644 testing/hosts/alice/etc/freeradius/3.0/clients.conf create mode 100644 testing/hosts/alice/etc/freeradius/3.0/radiusd.conf create mode 100644 testing/hosts/venus/etc/default/isc-dhcp-server delete mode 100644 testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text delete mode 100644 testing/scripts/recipes/001_libtnc.mk delete mode 100644 testing/scripts/recipes/002_tnc-fhh.mk delete mode 100644 testing/scripts/recipes/003_freeradius.mk delete mode 100644 testing/scripts/recipes/004_hostapd.mk delete mode 100644 testing/scripts/recipes/004_wpa_supplicant.mk delete mode 100644 testing/scripts/recipes/patches/freeradius-eap-sim-identity delete mode 100644 testing/scripts/recipes/patches/freeradius-tnc-fhh delete mode 100644 testing/scripts/recipes/patches/hostapd-config delete mode 100644 testing/scripts/recipes/patches/tnc-fhh-tncsim delete mode 100644 testing/scripts/recipes/patches/wpa_supplicant-eap-tnc create mode 100755 testing/tests/botan/net2net-ed25519/description.txt create mode 100755 testing/tests/botan/net2net-ed25519/evaltest.dat create mode 100755 testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem create mode 100755 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem create mode 100755 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem create mode 100644 testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-ed25519/posttest.dat create mode 100755 testing/tests/botan/net2net-ed25519/pretest.dat create mode 100755 testing/tests/botan/net2net-ed25519/test.conf create mode 100644 testing/tests/botan/net2net-pkcs12/description.txt create mode 100644 testing/tests/botan/net2net-pkcs12/evaltest.dat create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 create mode 100755 testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 create mode 100755 testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-pkcs12/posttest.dat create mode 100644 testing/tests/botan/net2net-pkcs12/pretest.dat create mode 100644 testing/tests/botan/net2net-pkcs12/test.conf create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/description.txt create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem create mode 100644 testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat create mode 100755 testing/tests/botan/net2net-sha3-rsa-cert/test.conf create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf delete mode 100644 testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf delete mode 100644 testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/description.txt delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-aes-gcm/test.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/description.txt delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/alg-blowfish/test.conf delete mode 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der delete mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem create mode 100755 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem create mode 100644 testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 create mode 100755 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 delete mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 create mode 100755 testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/description.txt delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-128/test.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/description.txt delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat delete mode 100644 testing/tests/openssl-ikev2/rw-suite-b-192/test.conf delete mode 100644 testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf create mode 100755 testing/tests/swanctl/host2host-cert/description.txt create mode 100755 testing/tests/swanctl/host2host-cert/evaltest.dat create mode 100755 testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-cert/posttest.dat create mode 100755 testing/tests/swanctl/host2host-cert/pretest.dat create mode 100755 testing/tests/swanctl/host2host-cert/test.conf create mode 100755 testing/tests/swanctl/host2host-transport/description.txt create mode 100755 testing/tests/swanctl/host2host-transport/evaltest.dat create mode 100755 testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/host2host-transport/posttest.dat create mode 100755 testing/tests/swanctl/host2host-transport/pretest.dat create mode 100755 testing/tests/swanctl/host2host-transport/test.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/description.txt create mode 100755 testing/tests/swanctl/ip-two-pools-db/evaltest.dat create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools-db/posttest.dat create mode 100755 testing/tests/swanctl/ip-two-pools-db/pretest.dat create mode 100755 testing/tests/swanctl/ip-two-pools-db/test.conf create mode 100755 testing/tests/swanctl/ip-two-pools/description.txt create mode 100755 testing/tests/swanctl/ip-two-pools/evaltest.dat create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/ip-two-pools/posttest.dat create mode 100755 testing/tests/swanctl/ip-two-pools/pretest.dat create mode 100755 testing/tests/swanctl/ip-two-pools/test.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users delete mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files delete mode 100644 testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/description.txt create mode 100644 testing/tests/swanctl/nat-rw-psk/evaltest.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw-psk/posttest.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/pretest.dat create mode 100644 testing/tests/swanctl/nat-rw-psk/test.conf create mode 100644 testing/tests/swanctl/nat-rw/description.txt create mode 100644 testing/tests/swanctl/nat-rw/evaltest.dat create mode 100644 testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules create mode 100644 testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf create mode 100755 testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/nat-rw/posttest.dat create mode 100644 testing/tests/swanctl/nat-rw/pretest.dat create mode 100644 testing/tests/swanctl/nat-rw/test.conf create mode 100755 testing/tests/swanctl/net2net-psk/description.txt create mode 100755 testing/tests/swanctl/net2net-psk/evaltest.dat create mode 100755 testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf create mode 100755 testing/tests/swanctl/net2net-psk/posttest.dat create mode 100755 testing/tests/swanctl/net2net-psk/pretest.dat create mode 100755 testing/tests/swanctl/net2net-psk/test.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-aka-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-id-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-md5-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/description.txt create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-md5/test.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-peap-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-id-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-only-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/description.txt create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-sim-rsa/test.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-only/description.txt create mode 100644 testing/tests/swanctl/rw-eap-tls-only/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-only/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-only/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-only/test.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-tls-radius/test.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/description.txt create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-only/test.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/description.txt create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat create mode 100644 testing/tests/swanctl/rw-eap-ttls-radius/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-fhh/evaltest.dat delete mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-fhh/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-fhh/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-fhh/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-block/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius-pts/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-radius/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-radius/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-radius/test.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/description.txt delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-11-supplicant/test.conf create mode 100644 testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql delete mode 100644 testing/tests/tnc/tnccs-20-fhh/description.txt delete mode 100644 testing/tests/tnc/tnccs-20-fhh/evaltest.dat delete mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties delete mode 100644 testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-fhh/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-20-fhh/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-20-fhh/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default (limited to 'testing') diff --git a/testing/config/kernel/config-4.19 b/testing/config/kernel/config-4.19 new file mode 100644 index 000000000..79cf9e71e --- /dev/null +++ b/testing/config/kernel/config-4.19 @@ -0,0 +1,2690 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.19.0 Kernel Configuration +# + +# +# Compiler: gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0 +# +CONFIG_CC_IS_GCC=y +CONFIG_GCC_VERSION=70300 +CONFIG_CLANG_VERSION=0 +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_BUILD_SALT="" +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y +CONFIG_GENERIC_IRQ_RESERVATION_MODE=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TINY_SRCU=y +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_CHECKPOINT_RESTORE is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_PRINTK_NMI=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +# CONFIG_BPF_SYSCALL is not set +# CONFIG_USERFAULTFD is not set +CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_RSEQ=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_PROFILING is not set +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_ARCH_HAS_FILTER_PGPROT=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_CC_HAS_SANE_STACKPROTECTOR=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +CONFIG_RETPOLINE=y +# CONFIG_INTEL_RDT is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_NR_CPUS_RANGE_BEGIN=1 +CONFIG_NR_CPUS_RANGE_END=1 +CONFIG_NR_CPUS_DEFAULT=1 +CONFIG_NR_CPUS=1 +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +CONFIG_MICROCODE_OLD_INTERFACE=y +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +# CONFIG_X86_5LEVEL is not set +CONFIG_X86_DIRECT_GBPAGES=y +CONFIG_ARCH_HAS_MEM_ENCRYPT=y +# CONFIG_AMD_MEM_ENCRYPT is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +CONFIG_X86_INTEL_UMIP=y +# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_LEGACY_VSYSCALL_EMULATE=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_HAS_ADD_PAGES=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ARCH_SUPPORTS_ACPI=y +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SPCR_TABLE=y +CONFIG_ACPI_LPIT=y +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_TAD is not set +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_DPTF_POWER is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_INTEL_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_STUB is not set +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +# CONFIG_HOTPLUG_PCI is not set + +# +# PCI controller drivers +# + +# +# Cadence PCIe controllers support +# +# CONFIG_VMD is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT_HOST is not set + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Binary Emulations +# +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32 is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_HAVE_GENERIC_GUP=y + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# Tegra firmware driver +# +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set + +# +# General architecture-dependent options +# +CONFIG_CRASH_CORE=y +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y +CONFIG_HAVE_NMI=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_RSEQ=y +CONFIG_HAVE_CLK=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_STACKPROTECTOR=y +CONFIG_CC_HAS_STACKPROTECTOR_NONE=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_COPY_THREAD_TLS=y +CONFIG_HAVE_STACK_VALIDATION=y +CONFIG_HAVE_RELIABLE_STACKTRACE=y +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_ARCH_HAS_REFCOUNT=y +# CONFIG_REFCOUNT_FULL is not set +CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +CONFIG_PLUGIN_HOSTCC="" +CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_CMDLINE_PARSER is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_CGROUP_IOLATENCY is not set +# CONFIG_BLK_SED_OPAL is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_CFQ_GROUP_IOSCHED is not set +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +CONFIG_ASN1=y +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y +CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y +CONFIG_FREEZER=y + +# +# Executable file formats +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y + +# +# Memory Management options +# +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_ARCH_WANTS_THP_SWAP=y +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_ZONE_DEVICE=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +# CONFIG_PERCPU_STATS is not set +# CONFIG_GUP_BENCHMARK is not set +CONFIG_ARCH_HAS_PTE_SPECIAL=y +CONFIG_NET=y +CONFIG_NET_INGRESS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +# CONFIG_TLS_DEVICE is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +# CONFIG_XFRM_INTERFACE is not set +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +# CONFIG_SYN_COOKIES is not set +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +CONFIG_IPV6_VTI=y +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_FAMILY_ARP=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +# CONFIG_NETFILTER_NETLINK_OSF is not set +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +# CONFIG_NF_LOG_NETDEV is not set +CONFIG_NETFILTER_CONNCOUNT=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CONNTRACK_LABELS is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_TPROXY_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_TPROXY_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +# CONFIG_IP6_NF_MATCH_SRH is not set +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +CONFIG_NF_DEFRAG_IPV6=y +# CONFIG_BPFILTER is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +CONFIG_DNS_RESOLVER=y +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_NET_NSH is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +CONFIG_STREAM_PARSER=y +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +# CONFIG_NET_DEVLINK is not set +CONFIG_MAY_USE_DEVLINK=y +CONFIG_FAILOVER=y +CONFIG_HAVE_EBPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y + +# +# Firmware loader +# +CONFIG_FW_LOADER=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_GNSS is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_VIRTIO_BLK_SCSI is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set + +# +# NVME Support +# +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set + +# +# Misc devices +# +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module (requires I2C) +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC & related support +# + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# SCIF Bus Driver +# +# CONFIG_SCIF_BUS is not set + +# +# VOP Bus Driver +# +# CONFIG_VOP_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# + +# +# SCIF Driver +# + +# +# Intel MIC Coprocessor State Management (COSM) Drivers +# + +# +# VOP Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_MISC_RTSX_PCI is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_TARGET_CORE is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_IPVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# + +# +# Distributed Switch Architecture drivers +# +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_NET_VENDOR_AURORA is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_SYSTEMPORT is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +CONFIG_CAVIUM_PTP=y +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +CONFIG_NET_VENDOR_CORTINA=y +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_HUAWEI=y +# CONFIG_HINIC is not set +CONFIG_NET_VENDOR_I825XX=y +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_ICE is not set +# CONFIG_FM10K is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MICROSEMI=y +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETERION=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_NI=y +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_VENDOR_PACKET_ENGINES=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +# CONFIG_RMNET is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_SOCIONEXT=y +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_ALE is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_MDIO_DEVICE is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +# CONFIG_PRISM54 is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +CONFIG_NET_FAILOVER=y +# CONFIG_ISDN is not set +# CONFIG_NVM is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set +# CONFIG_RANDOM_TRUST_CPU is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# CONFIG_PINCTRL is not set +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +CONFIG_HWMON=y +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +# CONFIG_THERMAL_STATISTICS is not set +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CROS_EC is not set +# CONFIG_MFD_MADERA is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +CONFIG_RC_CORE=y +CONFIG_RC_MAP=y +# CONFIG_LIRC is not set +CONFIG_RC_DECODERS=y +CONFIG_IR_NEC_DECODER=y +CONFIG_IR_RC5_DECODER=y +CONFIG_IR_RC6_DECODER=y +CONFIG_IR_JVC_DECODER=y +CONFIG_IR_SONY_DECODER=y +CONFIG_IR_SANYO_DECODER=y +CONFIG_IR_SHARP_DECODER=y +CONFIG_IR_MCE_KBD_DECODER=y +CONFIG_IR_XMP_DECODER=y +# CONFIG_IR_IMON_DECODER is not set +# CONFIG_RC_DEVICES is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set +# CONFIG_DRM_DP_CEC is not set + +# +# ACP (Audio CoProcessor) Configuration +# + +# +# AMD Library routines +# + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_SOUND=y +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +# CONFIG_HID_COUGAR is not set +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_JABRA is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_REDRAGON=y +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEAM is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set +# CONFIG_TYPEC is not set +# CONFIG_USB_ULPI_BUS is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y +CONFIG_VIRTIO_MENU=y +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACER_WIRELESS is not set +# CONFIG_ACERHDF is not set +# CONFIG_DELL_SMBIOS is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_GPD_POCKET_FAN is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_INTEL_PMC_IPC is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_INTEL_PUNIT_IPC is not set +CONFIG_PMC_ATOM=y +# CONFIG_CHROME_PLATFORMS is not set +# CONFIG_MELLANOX_PLATFORM is not set +CONFIG_CLKDEV_LOOKUP=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y + +# +# Common Clock Framework +# +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set + +# +# Rpmsg drivers +# +# CONFIG_RPMSG_VIRTIO is not set +# CONFIG_SOUNDWIRE is not set + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# + +# +# Broadcom SoC drivers +# + +# +# NXP/Freescale QorIQ SoC drivers +# + +# +# i.MX SoC drivers +# + +# +# Qualcomm SoC drivers +# +# CONFIG_SOC_TI is not set + +# +# Xilinx SoC drivers +# +# CONFIG_XILINX_VCU is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set + +# +# IRQ chip support +# +CONFIG_ARM_GIC_MAX_NR=1 +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_RAS is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set + +# +# HW tracing support +# +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +# CONFIG_FPGA is not set +# CONFIG_UNISYS_VISORBUS is not set +# CONFIG_SIOX is not set +# CONFIG_SLIMBUS is not set + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_FS_IOMAP=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_ENCRYPTION is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +CONFIG_AUTOFS_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +CONFIG_MEMFD_CREATE=y +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Security options +# +CONFIG_KEYS=y +# CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_BIG_KEYS is not set +# CONFIG_ENCRYPTED_KEYS is not set +# CONFIG_KEY_DH_OPERATIONS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +CONFIG_CRYPTO_RSA=y +CONFIG_CRYPTO_DH=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_MCRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_SIMD=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +# CONFIG_CRYPTO_AEGIS128 is not set +# CONFIG_CRYPTO_AEGIS128L is not set +# CONFIG_CRYPTO_AEGIS256 is not set +# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set +# CONFIG_CRYPTO_AEGIS128L_AESNI_SSE2 is not set +# CONFIG_CRYPTO_AEGIS256_AESNI_SSE2 is not set +# CONFIG_CRYPTO_MORUS640 is not set +# CONFIG_CRYPTO_MORUS640_SSE2 is not set +# CONFIG_CRYPTO_MORUS1280 is not set +# CONFIG_CRYPTO_MORUS1280_SSE2 is not set +# CONFIG_CRYPTO_MORUS1280_AVX2 is not set +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +# CONFIG_CRYPTO_CFB is not set +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +# CONFIG_CRYPTO_KEYWRAP is not set + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256_MB=y +CONFIG_CRYPTO_SHA512_MB=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_SM4=y +# CONFIG_CRYPTO_SPECK is not set +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y +# CONFIG_CRYPTO_ZSTD is not set + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_HASH_INFO=y +# CONFIG_CRYPTO_HW is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y + +# +# Certificates for signature checking +# +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set +# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +CONFIG_RATIONAL=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC64 is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_DMA_DIRECT_OPS=y +CONFIG_SWIOTLB=y +CONFIG_SGL_ALLOC=y +CONFIG_IOMMU_HELPER=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y +CONFIG_ARCH_HAS_SG_CHAIN=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_SBITMAP=y +# CONFIG_STRING_SELFTEST is not set + +# +# Kernel hacking +# + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_CONSOLE_LOGLEVEL_QUIET=4 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_STACK_VALIDATION=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KASAN=y +# CONFIG_KASAN is not set +CONFIG_ARCH_HAS_KCOV=y +CONFIG_CC_HAS_SANCOV_TRACE_PC=y +# CONFIG_KCOV is not set +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_WQ_WATCHDOG is not set +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_DEBUG_TIMEKEEPING is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +CONFIG_LOCK_DEBUGGING_SUPPORT=y +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_RCU_PERF_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_PREEMPTIRQ_EVENTS is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +CONFIG_RUNTIME_TESTING_MENU=y +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_TEST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_BITFIELD is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_OVERFLOW is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_HASH is not set +# CONFIG_TEST_IDA is not set +# CONFIG_FIND_BIT_BENCHMARK is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_MEMTEST is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN is not set +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set +CONFIG_TRACE_IRQFLAGS_SUPPORT=y +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_X86_PTDUMP is not set +# CONFIG_DEBUG_WX is not set +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set +CONFIG_UNWINDER_ORC=y +# CONFIG_UNWINDER_FRAME_POINTER is not set diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml index 0bf1eb596..c8ff289db 100644 --- a/testing/config/kvm/alice.xml +++ b/testing/config/kvm/alice.xml @@ -1,13 +1,13 @@ alice 1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9 - 131072 - 131072 + 163840 + 163840 1 hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml index f2425b222..0b433a437 100644 --- a/testing/config/kvm/bob.xml +++ b/testing/config/kvm/bob.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml index 51a7d8336..3eb163f6c 100644 --- a/testing/config/kvm/carol.xml +++ b/testing/config/kvm/carol.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml index 9e26b9629..d8d05a9e9 100644 --- a/testing/config/kvm/dave.xml +++ b/testing/config/kvm/dave.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml index 954af7aa1..943ab35b5 100644 --- a/testing/config/kvm/moon.xml +++ b/testing/config/kvm/moon.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml index c2d26737c..893a4aa37 100644 --- a/testing/config/kvm/sun.xml +++ b/testing/config/kvm/sun.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml index acc0d361a..a0b60171b 100644 --- a/testing/config/kvm/venus.xml +++ b/testing/config/kvm/venus.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml index b21cb7b08..59d7184f6 100644 --- a/testing/config/kvm/winnetou.xml +++ b/testing/config/kvm/winnetou.xml @@ -7,7 +7,7 @@ hvm /var/run/kvm-swan-kernel - root=/dev/vda1 loglevel=1 console=hvc0 + root=/dev/vda1 loglevel=1 console=hvc0 net.ifnames=0 diff --git a/testing/do-tests b/testing/do-tests index 52d0d70eb..fad3af8cd 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -51,11 +51,15 @@ subdir_cnt="0" ############################################################################## # parse optional arguments # -while getopts "v" opt +while getopts "vt" opt do case "$opt" in v) verbose=YES + timestamps=YES + ;; + t) + timestamps=YES ;; esac done @@ -64,7 +68,7 @@ shift $((OPTIND-1)) function print_time() { - [ "$verbose" == "YES" ] && echo "$(date +%T.%N) ~ " + [ "$timestamps" == "YES" ] && echo "$(date +%T.%N) ~ " } ############################################################################## @@ -689,21 +693,25 @@ do do eval HOSTLOGIN=root@\$ipv4_${host} - for file in clients.conf eap.conf radiusd.conf proxy.conf users + RADIUS_DIR=/etc/freeradius/3.0 + RADIUS_EAP_FILE=mods-enabled/eap + RADIUS_EAP_NAME=eap + if [ "$BASEIMGSUITE" == "jessie" ] + then + RADIUS_DIR=/etc/freeradius + RADIUS_EAP_FILE=eap.conf + RADIUS_EAP_NAME=eap.conf + fi + + for file in clients.conf radiusd.conf proxy.conf users sites-enabled/default sites-enabled/inner-tunnel $RADIUS_EAP_FILE do - scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \ - $TESTRESULTDIR/${host}.$file > /dev/null 2>&1 + scp $SSHCONF $HOSTLOGIN:$RADIUS_DIR/$file \ + $TESTRESULTDIR/${host}.$(basename $file) > /dev/null 2>&1 done - scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \ - $TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1 - scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \ $TESTRESULTDIR/${host}.radius.log > /dev/null 2>&1 - ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \ - >> $TESTRESULTDIR/${host}.daemon.log 2>/dev/null - chmod a+r $TESTRESULTDIR/* cat >> $TESTRESULTDIR/index.html <<@EOF

$host

@@ -713,14 +721,14 @@ do diff --git a/testing/hosts/alice/etc/freeradius/3.0/clients.conf b/testing/hosts/alice/etc/freeradius/3.0/clients.conf new file mode 100644 index 000000000..7fad83c33 --- /dev/null +++ b/testing/hosts/alice/etc/freeradius/3.0/clients.conf @@ -0,0 +1,5 @@ +client moon { + ipaddr = 10.1.0.1 + secret = gv6URkSs + require_message_authenticator = yes +} diff --git a/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf new file mode 100644 index 000000000..6139bb90f --- /dev/null +++ b/testing/hosts/alice/etc/freeradius/3.0/radiusd.conf @@ -0,0 +1,99 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius/3.0 +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = freeradius + +# Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${sysconfdir}/raddb/certs +cadir = ${sysconfdir}/raddb/certs +run_dir = ${localstatedir}/run/${name} + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# correct_escapes: use correct backslash escaping +correct_escapes = true + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Logging section +log { + destination = files + colourise = yes + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +security { + user = freerad + group = freerad + allow_core_dumps = no + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 + auto_limit_acct = no +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/mods-enabled/ +} + +# Policies +policy { + $INCLUDE policy.d/ +} + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary index 59a874b3e..4c2c7ebb4 100644 --- a/testing/hosts/alice/etc/freeradius/dictionary +++ b/testing/hosts/alice/etc/freeradius/dictionary @@ -11,7 +11,7 @@ # # The filename given here should be an absolute path. # -$INCLUDE /usr/local/share/freeradius/dictionary +$INCLUDE /usr/share/freeradius/dictionary # # Place additional attributes or $INCLUDEs here. They will diff --git a/testing/hosts/alice/etc/freeradius/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf index e4f721738..bcdc369d2 100644 --- a/testing/hosts/alice/etc/freeradius/radiusd.conf +++ b/testing/hosts/alice/etc/freeradius/radiusd.conf @@ -101,8 +101,6 @@ thread pool { modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf } # Instantiation diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config index 46b1f0231..cc6f43541 100644 --- a/testing/hosts/default/etc/ssh/sshd_config +++ b/testing/hosts/default/etc/ssh/sshd_config @@ -1,7 +1,7 @@ Port 22 Protocol 2 +Ciphers aes128-gcm@openssh.com HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation no PermitRootLogin yes diff --git a/testing/hosts/default/usr/local/bin/init_collector b/testing/hosts/default/usr/local/bin/init_collector index c522de874..df1462862 100755 --- a/testing/hosts/default/usr/local/bin/init_collector +++ b/testing/hosts/default/usr/local/bin/init_collector @@ -1,4 +1,6 @@ #! /bin/sh cat /usr/local/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/db.d/collector.db +sed -i "s:DEBIAN_VERSION:`cat /etc/debian_version`:" /etc/pts/collector.sql +cat /etc/pts/collector.sql | sqlite3 /etc/db.d/collector.db LEAK_DETECTIVE_DISABLE=1 /usr/local/sbin/sw-collector diff --git a/testing/hosts/venus/etc/default/isc-dhcp-server b/testing/hosts/venus/etc/default/isc-dhcp-server new file mode 100644 index 000000000..57a5c81f9 --- /dev/null +++ b/testing/hosts/venus/etc/default/isc-dhcp-server @@ -0,0 +1,3 @@ +# explicitly set an interface to avoid having to configure and run DHCPv6 +INTERFACESv4="eth0" +INTERFACESv6="" diff --git a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf index 68438a656..e362e138c 100644 --- a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf +++ b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf @@ -2,3 +2,4 @@ AddType text/plain .conf .log .sql .users AddType text/plain .secrets .listall .statusall AddType text/plain .conns .certs .sas .pools .authorities .stats AddType text/plain .policy .state .route .iptables .iptables-save +AddType text/plain .eap .default .inner-tunnel diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text deleted file mode 100644 index 68438a656..000000000 --- a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text +++ /dev/null @@ -1,4 +0,0 @@ -AddType text/plain .conf .log .sql .users -AddType text/plain .secrets .listall .statusall -AddType text/plain .conns .certs .sas .pools .authorities .stats -AddType text/plain .policy .state .route .iptables .iptables-save diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf index 0772c34ea..fb9e98424 100644 --- a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf +++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost.conf @@ -12,13 +12,7 @@ AddHandler cgi-script .cgi DirectoryIndex ocsp.cgi Options +ExecCGI - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted ErrorLog /var/log/apache2/ocsp/error_log CustomLog /var/log/apache2/ocsp/access_log combined @@ -34,13 +28,7 @@ Listen 8881 DirectoryIndex ocsp.cgi Options +ExecCGI - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted ErrorLog /var/log/apache2/ocsp/error_log CustomLog /var/log/apache2/ocsp/access_log combined @@ -56,13 +44,7 @@ Listen 8882 DirectoryIndex ocsp.cgi Options +ExecCGI - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted ErrorLog /var/log/apache2/ocsp/error_log CustomLog /var/log/apache2/ocsp/access_log combined diff --git a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf index 260171cfd..b610836fc 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. CAHOME = /etc/openssl/duck RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -154,7 +146,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf index d31752e30..ddd94d061 100644 --- a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl/ecdsa +CAHOME = /etc/openssl/ecdsa RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -156,7 +148,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf index 5985b5650..170daba56 100644 --- a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. CAHOME = /etc/openssl/monster RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -156,7 +148,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan-monster.crl diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf index 9078b2043..b1ef68a11 100644 --- a/testing/hosts/winnetou/etc/openssl/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl +CAHOME = /etc/openssl RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -118,7 +110,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -157,7 +149,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf index 7099413f0..f5ae64e36 100644 --- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. CAHOME = /etc/openssl/research RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -155,7 +147,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME crlDistributionPoints = URI:http://crl.strongswan.org/research.crl #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf index 12da734aa..11ff172ac 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl/rfc3779 +CAHOME = /etc/openssl/rfc3779 RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -83,7 +75,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -113,12 +105,12 @@ organizationName = Organization Name (eg, company) organizationName_default = Linux strongSwan 0.organizationalUnitName = Organizational Unit Name (eg, section) -0.organizationalUnitName_default = RFC3779 +0.organizationalUnitName_default = RFC3779 #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -173,7 +165,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME #authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf index f3ec7e168..f1d080c0b 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf @@ -1,19 +1,11 @@ -# openssl.cnf - OpenSSL configuration file for the ZHW PKI -# Mario Strasser -# +# openssl.cnf - OpenSSL configuration file +# # This definitions were set by the ca_init script DO NOT change # them manually. -CAHOME = /etc/openssl/sales +CAHOME = /etc/openssl/sales RANDFILE = $CAHOME/.rand -# Extra OBJECT IDENTIFIER info: -oid_section = new_oids - -[ new_oids ] -SmartcardLogin = 1.3.6.1.4.1.311.20.2 -ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 - #################################################################### [ ca ] @@ -21,7 +13,7 @@ default_ca = root_ca # The default ca section #################################################################### -[ root_ca ] +[ root_ca ] dir = $CAHOME certs = $dir/certs # Where the issued certs are kept @@ -82,7 +74,7 @@ x509_extensions = ca_ext # The extensions to add to the self signed cert # req_extensions = v3_req # The extensions to add to a certificate request -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. @@ -117,7 +109,7 @@ organizationName_default = Linux strongSwan #1.organizationalUnitName = Type (eg, Staff) #1.organizationalUnitName_default = Staff -#userId = UID +#userId = UID commonName = Common Name (eg, YOUR name) commonName_default = $ENV::COMMON_NAME @@ -155,7 +147,7 @@ basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always -subjectAltName = email:$ENV::COMMON_NAME +subjectAltName = email:$ENV::COMMON_NAME crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl #authorityInfoAccess = OCSP;URI:http://ocsp2.strongswan.org:8882 diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 95453d620..7c30758bf 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -12,29 +12,34 @@ running_any $STRONGSWANHOSTS && die "Please stop test environment before running check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk # package includes/excludes -INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less +INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less,locales INC=$INC,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev -INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop,screen +INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https -INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev +INC=$INC,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev +INC=$INC,libxerces-c-dev,libgcrypt20-dev,traceroute case "$BASEIMGSUITE" in -wheezy) - INC=$INC,libxerces-c2-dev,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev - INC=$INC,libalog0.4.1-base-dev - ;; jessie) - INC=$INC,libxerces-c-dev,libahven4-dev,libxmlada5-dev,libgmpada5-dev - INC=$INC,libalog1-dev,libgcrypt20-dev + INC=$INC,libahven4-dev,libxmlada5-dev,libgmpada5-dev + INC=$INC,libalog1-dev + ;; +stretch) + INC=$INC,libahven5-dev,libxmlada-schema6-dev,libgmpada6-dev + INC=$INC,libalog2-dev ;; *) echo_warn "Package list for '$BASEIMGSUITE' might has to be updated" esac -SERVICES="apache2 dbus isc-dhcp-server slapd bind9" +SERVICES="apache2 dbus isc-dhcp-server slapd bind9 freeradius" INC=$INC,${SERVICES// /,} +# packages to install via APT, for SWIMA tests +APT="tmux" +# additional services to disable +SERVICES="$SERVICES systemd-timesyncd.service" CACHEDIR=$BUILDDIR/cache APTCACHE=$LOOPDIR/var/cache/apt/archives @@ -86,6 +91,13 @@ execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $ execute "mount -t proc none $LOOPDIR/proc" 0 do_on_exit graceful_umount $LOOPDIR/proc +log_action "Generating locales" +cat > $LOOPDIR/etc/locale.gen << EOF +de_CH.UTF-8 UTF-8 +en_US.UTF-8 UTF-8 +EOF +execute_chroot "locale-gen" + log_action "Downloading signing key for custom apt repo" execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/key" log_action "Installing signing key for custom apt repo" @@ -107,18 +119,15 @@ log_status $? log_action "Update package sources" execute_chroot "apt-get update" +log_action "Install packages via APT" +execute_chroot "apt-get -y install $APT" log_action "Install packages from custom repo" execute_chroot "apt-get -y upgrade" for service in $SERVICES do log_action "Disabling service $service" - if [ "$BASEIMGSUITE" == "wheezy" ] - then - execute_chroot "update-rc.d -f $service remove" - else - execute_chroot "systemctl disable $service" - fi + execute_chroot "systemctl disable $service" done log_action "Disabling root password" diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages index 7dd7188c2..5116d095e 100755 --- a/testing/scripts/build-guestimages +++ b/testing/scripts/build-guestimages @@ -76,12 +76,7 @@ do for service in "apache2 slapd bind9" do - if [ "$BASEIMGSUITE" == "wheezy" ] - then - execute_chroot "update-rc.d $service defaults" 0 - else - execute_chroot "systemctl enable $service" 0 - fi + execute_chroot "systemctl enable $service" 0 done fi sync diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage index a84104a90..c6c41ada3 100755 --- a/testing/scripts/build-rootimage +++ b/testing/scripts/build-rootimage @@ -55,8 +55,11 @@ do_on_exit umount $LOOPDIR/root/shared echo "Installing software from source" RECPDIR=$DIR/recipes +if [ -d "$RECPDIR/patches" ] +then + execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0 +fi RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename` -execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0 for r in $RECIPES do cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk deleted file mode 100644 index b835958b7..000000000 --- a/testing/scripts/recipes/001_libtnc.mk +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/make - -PV = 1.25 -PKG = libtnc-$(PV) -TAR = $(PKG).tar.gz -SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = \ - --sysconfdir=/etc - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfz $(TAR) - @touch $@ - -.$(PKG)-configured: .$(PKG)-unpacked - cd $(PKG) && ./configure $(CONFIG_OPTS) - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG) && make install diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk deleted file mode 100644 index d4ed4f99c..000000000 --- a/testing/scripts/recipes/002_tnc-fhh.mk +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/make - -PKG = fhhtnc -SRC = git://github.com/trustatfhh/tnc-fhh.git - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = \ - -DCOMPONENT=all \ - -DNAL=8021x - -PATCHES = \ - tnc-fhh-tncsim - -all: install - -.$(PKG)-cloned: - git clone $(SRC) $(PKG) - mkdir $(PKG)/build - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-cloned - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cd $(PKG)/build && cmake $(CONFIG_OPTS) ../ - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG)/build && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG)/build && make install diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk deleted file mode 100644 index 71cfc238c..000000000 --- a/testing/scripts/recipes/003_freeradius.mk +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/make - -PV = 2.2.8 -PKG = freeradius-server-$(PV) -TAR = $(PKG).tar.bz2 -SRC = ftp://ftp.freeradius.org/pub/freeradius/old/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = \ - --with-raddbdir=/etc/freeradius \ - --sysconfdir=/etc \ - --with-logdir=/var/log/freeradius \ - --enable-developer \ - --with-experimental-modules - -PATCHES = \ - freeradius-eap-sim-identity \ - freeradius-tnc-fhh - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfj $(TAR) - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-unpacked - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cd $(PKG) && ./configure $(CONFIG_OPTS) - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG) && make install diff --git a/testing/scripts/recipes/004_hostapd.mk b/testing/scripts/recipes/004_hostapd.mk deleted file mode 100644 index 0acd428c9..000000000 --- a/testing/scripts/recipes/004_hostapd.mk +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/make - -PV = 2.0 -PKG = hostapd-$(PV) -TAR = $(PKG).tar.gz -SRC = http://w1.fi/releases/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = - -PATCHES = \ - hostapd-config - -SUBDIR = hostapd - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfz $(TAR) - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-unpacked - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG)/$(SUBDIR) && make install diff --git a/testing/scripts/recipes/004_wpa_supplicant.mk b/testing/scripts/recipes/004_wpa_supplicant.mk deleted file mode 100644 index 4cc870c12..000000000 --- a/testing/scripts/recipes/004_wpa_supplicant.mk +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/make - -PV = 2.0 -PKG = wpa_supplicant-$(PV) -TAR = $(PKG).tar.gz -SRC = http://w1.fi/releases/$(TAR) - -NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) - -CONFIG_OPTS = - -PATCHES = \ - wpa_supplicant-eap-tnc - -SUBDIR = wpa_supplicant - -all: install - -$(TAR): - wget $(SRC) - -.$(PKG)-unpacked: $(TAR) - tar xfz $(TAR) - @touch $@ - -.$(PKG)-patches-applied: .$(PKG)-unpacked - cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1 - @touch $@ - -.$(PKG)-configured: .$(PKG)-patches-applied - cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config - @touch $@ - -.$(PKG)-built: .$(PKG)-configured - cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS) - @touch $@ - -install: .$(PKG)-built - cd $(PKG)/$(SUBDIR) && make install diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk index a6af5df5c..b311c0a99 100644 --- a/testing/scripts/recipes/005_anet.mk +++ b/testing/scripts/recipes/005_anet.mk @@ -8,14 +8,15 @@ PREFIX = /usr/local/ada all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make LIBRARY_KIND=static @touch $@ diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk index 5f2e207c8..ed2a62396 100644 --- a/testing/scripts/recipes/006_tkm-rpc.mk +++ b/testing/scripts/recipes/006_tkm-rpc.mk @@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/007_x509-ada.mk b/testing/scripts/recipes/007_x509-ada.mk index 7899f6dec..57a106dea 100644 --- a/testing/scripts/recipes/007_x509-ada.mk +++ b/testing/scripts/recipes/007_x509-ada.mk @@ -8,14 +8,15 @@ PREFIX = /usr/local/ada all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make tests && make @touch $@ diff --git a/testing/scripts/recipes/008_xfrm-ada.mk b/testing/scripts/recipes/008_xfrm-ada.mk index ad1cbb2bc..64ada0e45 100644 --- a/testing/scripts/recipes/008_xfrm-ada.mk +++ b/testing/scripts/recipes/008_xfrm-ada.mk @@ -10,14 +10,15 @@ export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/009_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk index a7c9d31cc..bdf5b1211 100644 --- a/testing/scripts/recipes/009_xfrm-proxy.mk +++ b/testing/scripts/recipes/009_xfrm-proxy.mk @@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 03ee5b526..2651660db 100644 --- a/testing/scripts/recipes/010_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk @@ -8,14 +8,15 @@ export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && make @touch $@ diff --git a/testing/scripts/recipes/011_botan.mk b/testing/scripts/recipes/011_botan.mk index ef0f6d066..215e92365 100644 --- a/testing/scripts/recipes/011_botan.mk +++ b/testing/scripts/recipes/011_botan.mk @@ -2,8 +2,7 @@ PKG = botan SRC = https://github.com/randombit/$(PKG).git -# will have to be changed to the 2.8.0 tag later -REV = 1872f899716854927ecc68022fac318735be8824 +REV = 2.8.0 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) @@ -15,14 +14,15 @@ CONFIG_OPTS = \ all: install -$(PKG): - git clone $(SRC) $(PKG) +.$(PKG)-cloned: + [ -d $(PKG) ] || git clone $(SRC) $(PKG) + @touch $@ -.$(PKG)-cloned-$(REV): $(PKG) +.$(PKG)-checkout-$(REV): .$(PKG)-cloned cd $(PKG) && git fetch && git checkout $(REV) @touch $@ -.$(PKG)-built-$(REV): .$(PKG)-cloned-$(REV) +.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV) cd $(PKG) && python ./configure.py $(CONFIG_OPTS) && make -j $(NUM_CPUS) @touch $@ diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity deleted file mode 100644 index 1ab95ecc6..000000000 --- a/testing/scripts/recipes/patches/freeradius-eap-sim-identity +++ /dev/null @@ -1,30 +0,0 @@ ---- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:03:05.081225276 +0100 -+++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c 2012-11-28 11:46:59.746289881 +0100 -@@ -246,14 +246,21 @@ - newvp->vp_integer = ess->sim_id++; - pairreplace(outvps, newvp); - -+ ess->keys.identitylen = strlen(handler->identity); -+ memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen); -+ - /* make a copy of the identity */ - newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY); -- if (newvp) { -- ess->keys.identitylen = newvp->length; -- memcpy(ess->keys.identity, newvp->vp_octets, newvp->length); -- } else { -- ess->keys.identitylen = strlen(handler->identity); -- memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen); -+ if (newvp && newvp->length > 2) { -+ uint16_t len; -+ -+ memcpy(&len, newvp->vp_octets, sizeof(uint16_t)); -+ len = ntohs(len); -+ if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) { -+ ess->keys.identitylen = len; -+ memcpy(ess->keys.identity, newvp->vp_octets + 2, -+ ess->keys.identitylen); -+ } - } - - /* all set, calculate keys! */ diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh deleted file mode 100644 index 26a233d48..000000000 --- a/testing/scripts/recipes/patches/freeradius-tnc-fhh +++ /dev/null @@ -1,6687 +0,0 @@ -diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary ---- freeradius-server-2.2.0.orig/share/dictionary 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/share/dictionary 2012-12-04 19:39:42.261423097 +0100 -@@ -196,6 +196,7 @@ - $INCLUDE dictionary.starent - $INCLUDE dictionary.symbol - $INCLUDE dictionary.telebit -+$INCLUDE dictionary.tncfhh - $INCLUDE dictionary.terena - $INCLUDE dictionary.trapeze - $INCLUDE dictionary.tropos -diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh ---- freeradius-server-2.2.0.orig/share/dictionary.tncfhh 1970-01-01 01:00:00.000000000 +0100 -+++ freeradius-server-2.2.0/share/dictionary.tncfhh 2012-12-04 19:39:49.645421869 +0100 -@@ -0,0 +1,20 @@ -+# -*- text -*- -+# Dictionary for the tnc@fhh Server. -+# -+# Website: http://trust.inform.fh-hannover.de -+# -+# Version: 0.8.4 -+# Author: Bastian Hellmann -+# Email: trust@f4-i.fh-hannover.de -+# -+ -+VENDOR tncfhh 10000 -+BEGIN-VENDOR tncfhh -+ -+ATTRIBUTE TNC-Status 1 integer -+ -+VALUE TNC-Status Access 0 -+VALUE TNC-Status Isolate 1 -+VALUE TNC-Status None 2 -+ -+END-VENDOR tncfhh -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure 2012-12-04 19:38:00.237420970 +0100 -@@ -1,61 +1,84 @@ - #! /bin/sh - # From configure.in Revision. - # Guess values for system-dependent variables and create Makefiles. --# Generated by GNU Autoconf 2.61. -+# Generated by GNU Autoconf 2.67. -+# - # - # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, --# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. -+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software -+# Foundation, Inc. -+# -+# - # This configure script is free software; the Free Software Foundation - # gives unlimited permission to copy, distribute and modify it. --## --------------------- ## --## M4sh Initialization. ## --## --------------------- ## -+## -------------------- ## -+## M4sh Initialization. ## -+## -------------------- ## - - # Be more Bourne compatible - DUALCASE=1; export DUALCASE # for MKS sh --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST - else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; -+ case `(set -o) 2>/dev/null` in #( -+ *posix*) : -+ set -o posix ;; #( -+ *) : -+ ;; - esac -- - fi - - -- -- --# PATH needs CR --# Avoid depending upon Character Ranges. --as_cr_letters='abcdefghijklmnopqrstuvwxyz' --as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' --as_cr_Letters=$as_cr_letters$as_cr_LETTERS --as_cr_digits='0123456789' --as_cr_alnum=$as_cr_Letters$as_cr_digits -- --# The user is always right. --if test "${PATH_SEPARATOR+set}" != set; then -- echo "#! /bin/sh" >conf$$.sh -- echo "exit 0" >>conf$$.sh -- chmod +x conf$$.sh -- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then -- PATH_SEPARATOR=';' -+as_nl=' -+' -+export as_nl -+# Printing a long string crashes Solaris 7 /usr/bin/printf. -+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -+# Prefer a ksh shell builtin over an external printf program on Solaris, -+# but without wasting forks for bash or zsh. -+if test -z "$BASH_VERSION$ZSH_VERSION" \ -+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='print -r --' -+ as_echo_n='print -rn --' -+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='printf %s\n' -+ as_echo_n='printf %s' -+else -+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then -+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' -+ as_echo_n='/usr/ucb/echo -n' - else -- PATH_SEPARATOR=: -+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' -+ as_echo_n_body='eval -+ arg=$1; -+ case $arg in #( -+ *"$as_nl"*) -+ expr "X$arg" : "X\\(.*\\)$as_nl"; -+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; -+ esac; -+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" -+ ' -+ export as_echo_n_body -+ as_echo_n='sh -c $as_echo_n_body as_echo' - fi -- rm -f conf$$.sh -+ export as_echo_body -+ as_echo='sh -c $as_echo_body as_echo' - fi - --# Support unset when possible. --if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then -- as_unset=unset --else -- as_unset=false -+# The user is always right. -+if test "${PATH_SEPARATOR+set}" != set; then -+ PATH_SEPARATOR=: -+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { -+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || -+ PATH_SEPARATOR=';' -+ } - fi - - -@@ -64,20 +87,18 @@ - # there to prevent editors from complaining about space-tab. - # (If _AS_PATH_WALK were called with IFS unset, it would disable word - # splitting by setting IFS to empty value.) --as_nl=' --' - IFS=" "" $as_nl" - - # Find who we are. Look in the path if we contain no directory separator. --case $0 in -+case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR - for as_dir in $PATH - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break --done -+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -+ done - IFS=$as_save_IFS - - ;; -@@ -88,354 +109,321 @@ - as_myself=$0 - fi - if test ! -f "$as_myself"; then -- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -- { (exit 1); exit 1; } -+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -+ exit 1 - fi - --# Work around bugs in pre-3.0 UWIN ksh. --for as_var in ENV MAIL MAILPATH --do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -+# Unset variables that we do not need and which cause bugs (e.g. in -+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -+# suppresses any "Segmentation fault" message there. '((' could -+# trigger a bug in pdksh 5.2.14. -+for as_var in BASH_ENV ENV MAIL MAILPATH -+do eval test x\${$as_var+set} = xset \ -+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : - done - PS1='$ ' - PS2='> ' - PS4='+ ' - - # NLS nuisances. --for as_var in \ -- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \ -- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \ -- LC_TELEPHONE LC_TIME --do -- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then -- eval $as_var=C; export $as_var -- else -- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -- fi --done -- --# Required to use basename. --if expr a : '\(a\)' >/dev/null 2>&1 && -- test "X`expr 00001 : '.*\(...\)'`" = X001; then -- as_expr=expr --else -- as_expr=false --fi -- --if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then -- as_basename=basename --else -- as_basename=false --fi -- -- --# Name of the executable. --as_me=`$as_basename -- "$0" || --$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ -- X"$0" : 'X\(//\)$' \| \ -- X"$0" : 'X\(/\)' \| . 2>/dev/null || --echo X/"$0" | -- sed '/^.*\/\([^/][^/]*\)\/*$/{ -- s//\1/ -- q -- } -- /^X\/\(\/\/\)$/{ -- s//\1/ -- q -- } -- /^X\/\(\/\).*/{ -- s//\1/ -- q -- } -- s/.*/./; q'` -+LC_ALL=C -+export LC_ALL -+LANGUAGE=C -+export LANGUAGE - - # CDPATH. --$as_unset CDPATH -- -+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - - if test "x$CONFIG_SHELL" = x; then -- if (eval ":") 2>/dev/null; then -- as_have_required=yes -+ as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : -+ emulate sh -+ NULLCMD=: -+ # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which -+ # is contrary to our usage. Disable this feature. -+ alias -g '\${1+\"\$@\"}'='\"\$@\"' -+ setopt NO_GLOB_SUBST - else -- as_have_required=no -+ case \`(set -o) 2>/dev/null\` in #( -+ *posix*) : -+ set -o posix ;; #( -+ *) : -+ ;; -+esac - fi -- -- if test $as_have_required = yes && (eval ": --(as_func_return () { -- (exit \$1) --} --as_func_success () { -- as_func_return 0 --} --as_func_failure () { -- as_func_return 1 --} --as_func_ret_success () { -- return 0 --} --as_func_ret_failure () { -- return 1 --} -+" -+ as_required="as_fn_return () { (exit \$1); } -+as_fn_success () { as_fn_return 0; } -+as_fn_failure () { as_fn_return 1; } -+as_fn_ret_success () { return 0; } -+as_fn_ret_failure () { return 1; } - - exitcode=0 --if as_func_success; then -- : --else -- exitcode=1 -- echo as_func_success failed. --fi -- --if as_func_failure; then -- exitcode=1 -- echo as_func_failure succeeded. --fi -- --if as_func_ret_success; then -- : --else -- exitcode=1 -- echo as_func_ret_success failed. --fi -- --if as_func_ret_failure; then -- exitcode=1 -- echo as_func_ret_failure succeeded. --fi -- --if ( set x; as_func_ret_success y && test x = \"\$1\" ); then -- : -+as_fn_success || { exitcode=1; echo as_fn_success failed.; } -+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } -+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } -+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } -+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : -+ -+else -+ exitcode=1; echo positional parameters were not saved. -+fi -+test x\$exitcode = x0 || exit 1" -+ as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO -+ as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO -+ eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && -+ test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 -+test \$(( 1 + 1 )) = 2 || exit 1" -+ if (eval "$as_required") 2>/dev/null; then : -+ as_have_required=yes - else -- exitcode=1 -- echo positional parameters were not saved. -+ as_have_required=no - fi -+ if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : - --test \$exitcode = 0) || { (exit 1); exit 1; } -- --( -- as_lineno_1=\$LINENO -- as_lineno_2=\$LINENO -- test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" && -- test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; } --") 2> /dev/null; then -- : - else -- as_candidate_shells= -- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+as_found=false - for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- case $as_dir in -+ as_found=: -+ case $as_dir in #( - /*) - for as_base in sh bash ksh sh5; do -- as_candidate_shells="$as_candidate_shells $as_dir/$as_base" -+ # Try only shells that exist, to save several forks. -+ as_shell=$as_dir/$as_base -+ if { test -f "$as_shell" || test -f "$as_shell.exe"; } && -+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : -+ CONFIG_SHELL=$as_shell as_have_required=yes -+ if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : -+ break 2 -+fi -+fi - done;; - esac -+ as_found=false - done -+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && -+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : -+ CONFIG_SHELL=$SHELL as_have_required=yes -+fi; } - IFS=$as_save_IFS - - -- for as_shell in $as_candidate_shells $SHELL; do -- # Try only shells that exist, to save several forks. -- if { test -f "$as_shell" || test -f "$as_shell.exe"; } && -- { ("$as_shell") 2> /dev/null <<\_ASEOF --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -- emulate sh -- NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -- # is contrary to our usage. Disable this feature. -- alias -g '${1+"$@"}'='"$@"' -- setopt NO_GLOB_SUBST --else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; --esac -- -+ if test "x$CONFIG_SHELL" != x; then : -+ # We cannot yet assume a decent shell, so we have to provide a -+ # neutralization value for shells without unset; and this also -+ # works around shells that cannot unset nonexistent variables. -+ BASH_ENV=/dev/null -+ ENV=/dev/null -+ (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -+ export CONFIG_SHELL -+ exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} -+fi -+ -+ if test x$as_have_required = xno; then : -+ $as_echo "$0: This script requires a shell more modern than all" -+ $as_echo "$0: the shells that I found on your system." -+ if test x${ZSH_VERSION+set} = xset ; then -+ $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" -+ $as_echo "$0: be upgraded to zsh 4.3.4 or later." -+ else -+ $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, -+$0: including any error possibly output before this -+$0: message. Then install a modern shell, or manually run -+$0: the script under such a shell if you do have one." -+ fi -+ exit 1 - fi -- -- --: --_ASEOF --}; then -- CONFIG_SHELL=$as_shell -- as_have_required=yes -- if { "$as_shell" 2> /dev/null <<\_ASEOF --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -- emulate sh -- NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -- # is contrary to our usage. Disable this feature. -- alias -g '${1+"$@"}'='"$@"' -- setopt NO_GLOB_SUBST --else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; --esac -- - fi -+fi -+SHELL=${CONFIG_SHELL-/bin/sh} -+export SHELL -+# Unset more variables known to interfere with behavior of common tools. -+CLICOLOR_FORCE= GREP_OPTIONS= -+unset CLICOLOR_FORCE GREP_OPTIONS - -- --: --(as_func_return () { -- (exit $1) --} --as_func_success () { -- as_func_return 0 --} --as_func_failure () { -- as_func_return 1 --} --as_func_ret_success () { -- return 0 --} --as_func_ret_failure () { -- return 1 -+## --------------------- ## -+## M4sh Shell Functions. ## -+## --------------------- ## -+# as_fn_unset VAR -+# --------------- -+# Portably unset VAR. -+as_fn_unset () -+{ -+ { eval $1=; unset $1;} - } -+as_unset=as_fn_unset - --exitcode=0 --if as_func_success; then -- : --else -- exitcode=1 -- echo as_func_success failed. --fi -+# as_fn_set_status STATUS -+# ----------------------- -+# Set $? to STATUS, without forking. -+as_fn_set_status () -+{ -+ return $1 -+} # as_fn_set_status - --if as_func_failure; then -- exitcode=1 -- echo as_func_failure succeeded. --fi -+# as_fn_exit STATUS -+# ----------------- -+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -+as_fn_exit () -+{ -+ set +e -+ as_fn_set_status $1 -+ exit $1 -+} # as_fn_exit -+ -+# as_fn_mkdir_p -+# ------------- -+# Create "$as_dir" as a directory, including parents if necessary. -+as_fn_mkdir_p () -+{ - --if as_func_ret_success; then -- : --else -- exitcode=1 -- echo as_func_ret_success failed. --fi -+ case $as_dir in #( -+ -*) as_dir=./$as_dir;; -+ esac -+ test -d "$as_dir" || eval $as_mkdir_p || { -+ as_dirs= -+ while :; do -+ case $as_dir in #( -+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( -+ *) as_qdir=$as_dir;; -+ esac -+ as_dirs="'$as_qdir' $as_dirs" -+ as_dir=`$as_dirname -- "$as_dir" || -+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -+ X"$as_dir" : 'X\(//\)[^/]' \| \ -+ X"$as_dir" : 'X\(//\)$' \| \ -+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X"$as_dir" | -+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)[^/].*/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\).*/{ -+ s//\1/ -+ q -+ } -+ s/.*/./; q'` -+ test -d "$as_dir" && break -+ done -+ test -z "$as_dirs" || eval "mkdir $as_dirs" -+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - --if as_func_ret_failure; then -- exitcode=1 -- echo as_func_ret_failure succeeded. --fi - --if ( set x; as_func_ret_success y && test x = "$1" ); then -- : -+} # as_fn_mkdir_p -+# as_fn_append VAR VALUE -+# ---------------------- -+# Append the text in VALUE to the end of the definition contained in VAR. Take -+# advantage of any shell optimizations that allow amortized linear growth over -+# repeated appends, instead of the typical quadratic growth present in naive -+# implementations. -+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : -+ eval 'as_fn_append () -+ { -+ eval $1+=\$2 -+ }' - else -- exitcode=1 -- echo positional parameters were not saved. --fi -- --test $exitcode = 0) || { (exit 1); exit 1; } -- --( -- as_lineno_1=$LINENO -- as_lineno_2=$LINENO -- test "x$as_lineno_1" != "x$as_lineno_2" && -- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; } -- --_ASEOF --}; then -- break --fi -- --fi -- -- done -- -- if test "x$CONFIG_SHELL" != x; then -- for as_var in BASH_ENV ENV -- do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -- done -- export CONFIG_SHELL -- exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} --fi -- -- -- if test $as_have_required = no; then -- echo This script requires a shell more modern than all the -- echo shells that I found on your system. Please install a -- echo modern shell, or manually run the script under such a -- echo shell if you do have one. -- { (exit 1); exit 1; } --fi -- -- --fi -- --fi -- -+ as_fn_append () -+ { -+ eval $1=\$$1\$2 -+ } -+fi # as_fn_append -+ -+# as_fn_arith ARG... -+# ------------------ -+# Perform arithmetic evaluation on the ARGs, and store the result in the -+# global $as_val. Take advantage of shells that can avoid forks. The arguments -+# must be portable across $(()) and expr. -+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : -+ eval 'as_fn_arith () -+ { -+ as_val=$(( $* )) -+ }' -+else -+ as_fn_arith () -+ { -+ as_val=`expr "$@" || test $? -eq 1` -+ } -+fi # as_fn_arith - - --(eval "as_func_return () { -- (exit \$1) --} --as_func_success () { -- as_func_return 0 --} --as_func_failure () { -- as_func_return 1 --} --as_func_ret_success () { -- return 0 --} --as_func_ret_failure () { -- return 1 --} -+# as_fn_error STATUS ERROR [LINENO LOG_FD] -+# ---------------------------------------- -+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -+# script with STATUS, using 1 if that was 0. -+as_fn_error () -+{ -+ as_status=$1; test $as_status -eq 0 && as_status=1 -+ if test "$4"; then -+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 -+ fi -+ $as_echo "$as_me: error: $2" >&2 -+ as_fn_exit $as_status -+} # as_fn_error - --exitcode=0 --if as_func_success; then -- : -+if expr a : '\(a\)' >/dev/null 2>&1 && -+ test "X`expr 00001 : '.*\(...\)'`" = X001; then -+ as_expr=expr - else -- exitcode=1 -- echo as_func_success failed. --fi -- --if as_func_failure; then -- exitcode=1 -- echo as_func_failure succeeded. -+ as_expr=false - fi - --if as_func_ret_success; then -- : -+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then -+ as_basename=basename - else -- exitcode=1 -- echo as_func_ret_success failed. --fi -- --if as_func_ret_failure; then -- exitcode=1 -- echo as_func_ret_failure succeeded. -+ as_basename=false - fi - --if ( set x; as_func_ret_success y && test x = \"\$1\" ); then -- : -+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -+ as_dirname=dirname - else -- exitcode=1 -- echo positional parameters were not saved. -+ as_dirname=false - fi - --test \$exitcode = 0") || { -- echo No shell found that supports shell functions. -- echo Please tell autoconf@gnu.org about your system, -- echo including any error possibly output before this -- echo message --} -+as_me=`$as_basename -- "$0" || -+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ -+ X"$0" : 'X\(//\)$' \| \ -+ X"$0" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X/"$0" | -+ sed '/^.*\/\([^/][^/]*\)\/*$/{ -+ s//\1/ -+ q -+ } -+ /^X\/\(\/\/\)$/{ -+ s//\1/ -+ q -+ } -+ /^X\/\(\/\).*/{ -+ s//\1/ -+ q -+ } -+ s/.*/./; q'` - -+# Avoid depending upon Character Ranges. -+as_cr_letters='abcdefghijklmnopqrstuvwxyz' -+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -+as_cr_Letters=$as_cr_letters$as_cr_LETTERS -+as_cr_digits='0123456789' -+as_cr_alnum=$as_cr_Letters$as_cr_digits - - -- as_lineno_1=$LINENO -- as_lineno_2=$LINENO -- test "x$as_lineno_1" != "x$as_lineno_2" && -- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { -- -- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO -- # uniformly replaced by the line number. The first 'sed' inserts a -- # line-number line after each line using $LINENO; the second 'sed' -- # does the real work. The second script uses 'N' to pair each -- # line-number line with the line containing $LINENO, and appends -- # trailing '-' during substitution so that $LINENO is not a special -- # case at line end. -- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the -- # scripts with optimization help from Paolo Bonzini. Blame Lee -- # E. McMahon (1931-1989) for sed's syntax. :-) -+ as_lineno_1=$LINENO as_lineno_1a=$LINENO -+ as_lineno_2=$LINENO as_lineno_2a=$LINENO -+ eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && -+ test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { -+ # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) - sed -n ' - p - /[$]LINENO/= -@@ -452,8 +440,7 @@ - s/-\n.*// - ' >$as_me.lineno && - chmod +x "$as_me.lineno" || -- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 -- { (exit 1); exit 1; }; } -+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } - - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the -@@ -463,49 +450,40 @@ - exit - } - -- --if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -- as_dirname=dirname --else -- as_dirname=false --fi -- - ECHO_C= ECHO_N= ECHO_T= --case `echo -n x` in -+case `echo -n x` in #((((( - -n*) -- case `echo 'x\c'` in -+ case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. -- *) ECHO_C='\c';; -+ xy) ECHO_C='\c';; -+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null -+ ECHO_T=' ';; - esac;; - *) - ECHO_N='-n';; - esac - --if expr a : '\(a\)' >/dev/null 2>&1 && -- test "X`expr 00001 : '.*\(...\)'`" = X001; then -- as_expr=expr --else -- as_expr=false --fi -- - rm -f conf$$ conf$$.exe conf$$.file - if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file - else - rm -f conf$$.dir -- mkdir conf$$.dir -+ mkdir conf$$.dir 2>/dev/null - fi --echo >conf$$.file --if ln -s conf$$.file conf$$ 2>/dev/null; then -- as_ln_s='ln -s' -- # ... but there are two gotchas: -- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -- # In both cases, we have to default to `cp -p'. -- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+if (echo >conf$$.file) 2>/dev/null; then -+ if ln -s conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s='ln -s' -+ # ... but there are two gotchas: -+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -+ # In both cases, we have to default to `cp -p'. -+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+ as_ln_s='cp -p' -+ elif ln conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s=ln -+ else - as_ln_s='cp -p' --elif ln conf$$.file conf$$ 2>/dev/null; then -- as_ln_s=ln -+ fi - else - as_ln_s='cp -p' - fi -@@ -513,7 +491,7 @@ - rmdir conf$$.dir 2>/dev/null - - if mkdir -p . 2>/dev/null; then -- as_mkdir_p=: -+ as_mkdir_p='mkdir -p "$as_dir"' - else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -@@ -530,12 +508,12 @@ - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then -- test -d "$1/."; -+ test -d "$1/."; - else -- case $1 in -- -*)set "./$1";; -+ case $1 in #( -+ -*)set "./$1";; - esac; -- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in -+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -@@ -549,11 +527,11 @@ - as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - - -- --exec 7<&0 &1 -+test -n "$DJDIR" || exec 7<&0 &1 - - # Name of the host. --# hostname on some systems (SVR3.2, Linux) returns a bogus exit status, -+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, - # so uname gets run too. - ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` - -@@ -568,7 +546,6 @@ - subdirs= - MFLAGS= - MAKEFLAGS= --SHELL=${CONFIG_SHELL-/bin/sh} - - # Identity of this package. - PACKAGE_NAME= -@@ -576,58 +553,102 @@ - PACKAGE_VERSION= - PACKAGE_STRING= - PACKAGE_BUGREPORT= -+PACKAGE_URL= - - ac_unique_file="rlm_eap_tnc.c" --ac_subst_vars='SHELL --PATH_SEPARATOR --PACKAGE_NAME --PACKAGE_TARNAME --PACKAGE_VERSION --PACKAGE_STRING --PACKAGE_BUGREPORT --exec_prefix --prefix --program_transform_name --bindir --sbindir --libexecdir --datarootdir --datadir --sysconfdir --sharedstatedir --localstatedir --includedir --oldincludedir --docdir --infodir --htmldir --dvidir --pdfdir --psdir --libdir --localedir --mandir --DEFS --ECHO_C --ECHO_N --ECHO_T --LIBS --build_alias --host_alias --target_alias --CC --CFLAGS --LDFLAGS --CPPFLAGS --ac_ct_CC --EXEEXT --OBJEXT --eap_tnc_cflags --eap_tnc_ldflags --targetname -+# Factoring default headers for most tests. -+ac_includes_default="\ -+#include -+#ifdef HAVE_SYS_TYPES_H -+# include -+#endif -+#ifdef HAVE_SYS_STAT_H -+# include -+#endif -+#ifdef STDC_HEADERS -+# include -+# include -+#else -+# ifdef HAVE_STDLIB_H -+# include -+# endif -+#endif -+#ifdef HAVE_STRING_H -+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H -+# include -+# endif -+# include -+#endif -+#ifdef HAVE_STRINGS_H -+# include -+#endif -+#ifdef HAVE_INTTYPES_H -+# include -+#endif -+#ifdef HAVE_STDINT_H -+# include -+#endif -+#ifdef HAVE_UNISTD_H -+# include -+#endif" -+ -+ac_subst_vars='LTLIBOBJS - LIBOBJS --LTLIBOBJS' -+targetname -+eap_tnc_ldflags -+eap_tnc_cflags -+EGREP -+GREP -+CPP -+OBJEXT -+EXEEXT -+ac_ct_CC -+CPPFLAGS -+LDFLAGS -+CFLAGS -+CC -+target_alias -+host_alias -+build_alias -+LIBS -+ECHO_T -+ECHO_N -+ECHO_C -+DEFS -+mandir -+localedir -+libdir -+psdir -+pdfdir -+dvidir -+htmldir -+infodir -+docdir -+oldincludedir -+includedir -+localstatedir -+sharedstatedir -+sysconfdir -+datadir -+datarootdir -+libexecdir -+sbindir -+bindir -+program_transform_name -+prefix -+exec_prefix -+PACKAGE_URL -+PACKAGE_BUGREPORT -+PACKAGE_STRING -+PACKAGE_VERSION -+PACKAGE_TARNAME -+PACKAGE_NAME -+PATH_SEPARATOR -+SHELL' - ac_subst_files='' -+ac_user_opts=' -+enable_option_checking -+' - ac_precious_vars='build_alias - host_alias - target_alias -@@ -635,12 +656,15 @@ - CFLAGS - LDFLAGS - LIBS --CPPFLAGS' -+CPPFLAGS -+CPP' - - - # Initialize some variables set by options. - ac_init_help= - ac_init_version=false -+ac_unrecognized_opts= -+ac_unrecognized_sep= - # The variables have the same names as the options, with - # dashes changed to underlines. - cache_file=/dev/null -@@ -696,8 +720,9 @@ - fi - - case $ac_option in -- *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; -- *) ac_optarg=yes ;; -+ *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; -+ *=) ac_optarg= ;; -+ *) ac_optarg=yes ;; - esac - - # Accept the important Cygnus configure options, so we can diagnose typos. -@@ -739,13 +764,20 @@ - datarootdir=$ac_optarg ;; - - -disable-* | --disable-*) -- ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid feature name: $ac_feature" >&2 -- { (exit 1); exit 1; }; } -- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'` -- eval enable_$ac_feature=no ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid feature name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"enable_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval enable_$ac_useropt=no ;; - - -docdir | --docdir | --docdi | --doc | --do) - ac_prev=docdir ;; -@@ -758,13 +790,20 @@ - dvidir=$ac_optarg ;; - - -enable-* | --enable-*) -- ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid feature name: $ac_feature" >&2 -- { (exit 1); exit 1; }; } -- ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'` -- eval enable_$ac_feature=\$ac_optarg ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid feature name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"enable_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval enable_$ac_useropt=\$ac_optarg ;; - - -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ - | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ -@@ -955,22 +994,36 @@ - ac_init_version=: ;; - - -with-* | --with-*) -- ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid package name: $ac_package" >&2 -- { (exit 1); exit 1; }; } -- ac_package=`echo $ac_package | sed 's/[-.]/_/g'` -- eval with_$ac_package=\$ac_optarg ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid package name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"with_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval with_$ac_useropt=\$ac_optarg ;; - - -without-* | --without-*) -- ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'` -+ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` - # Reject names that are not valid shell variable names. -- expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid package name: $ac_package" >&2 -- { (exit 1); exit 1; }; } -- ac_package=`echo $ac_package | sed 's/[-.]/_/g'` -- eval with_$ac_package=no ;; -+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && -+ as_fn_error $? "invalid package name: $ac_useropt" -+ ac_useropt_orig=$ac_useropt -+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` -+ case $ac_user_opts in -+ *" -+"with_$ac_useropt" -+"*) ;; -+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" -+ ac_unrecognized_sep=', ';; -+ esac -+ eval with_$ac_useropt=no ;; - - --x) - # Obsolete; use --with-x. -@@ -990,25 +1043,25 @@ - | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) - x_libraries=$ac_optarg ;; - -- -*) { echo "$as_me: error: unrecognized option: $ac_option --Try \`$0 --help' for more information." >&2 -- { (exit 1); exit 1; }; } -+ -*) as_fn_error $? "unrecognized option: \`$ac_option' -+Try \`$0 --help' for more information" - ;; - - *=*) - ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` - # Reject names that are not valid shell variable names. -- expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && -- { echo "$as_me: error: invalid variable name: $ac_envvar" >&2 -- { (exit 1); exit 1; }; } -+ case $ac_envvar in #( -+ '' | [0-9]* | *[!_$as_cr_alnum]* ) -+ as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; -+ esac - eval $ac_envvar=\$ac_optarg - export $ac_envvar ;; - - *) - # FIXME: should be removed in autoconf 3.0. -- echo "$as_me: WARNING: you should use --build, --host, --target" >&2 -+ $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 - expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && -- echo "$as_me: WARNING: invalid host type: $ac_option" >&2 -+ $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 - : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option} - ;; - -@@ -1017,23 +1070,36 @@ - - if test -n "$ac_prev"; then - ac_option=--`echo $ac_prev | sed 's/_/-/g'` -- { echo "$as_me: error: missing argument to $ac_option" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "missing argument to $ac_option" -+fi -+ -+if test -n "$ac_unrecognized_opts"; then -+ case $enable_option_checking in -+ no) ;; -+ fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; -+ *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; -+ esac - fi - --# Be sure to have absolute directory names. -+# Check all directory arguments for consistency. - for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ - datadir sysconfdir sharedstatedir localstatedir includedir \ - oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir - do - eval ac_val=\$$ac_var -+ # Remove trailing slashes. -+ case $ac_val in -+ */ ) -+ ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` -+ eval $ac_var=\$ac_val;; -+ esac -+ # Be sure to have absolute directory names. - case $ac_val in - [\\/$]* | ?:[\\/]* ) continue;; - NONE | '' ) case $ac_var in *prefix ) continue;; esac;; - esac -- { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" - done - - # There might be people who depend on the old broken behavior: `$host' -@@ -1047,8 +1113,8 @@ - if test "x$host_alias" != x; then - if test "x$build_alias" = x; then - cross_compiling=maybe -- echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. -- If a cross compiler is detected then cross compile mode will be used." >&2 -+ $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. -+ If a cross compiler is detected then cross compile mode will be used" >&2 - elif test "x$build_alias" != "x$host_alias"; then - cross_compiling=yes - fi -@@ -1063,23 +1129,21 @@ - ac_pwd=`pwd` && test -n "$ac_pwd" && - ac_ls_di=`ls -di .` && - ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || -- { echo "$as_me: error: Working directory cannot be determined" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "working directory cannot be determined" - test "X$ac_ls_di" = "X$ac_pwd_ls_di" || -- { echo "$as_me: error: pwd does not report name of working directory" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "pwd does not report name of working directory" - - - # Find the source files, if location was not specified. - if test -z "$srcdir"; then - ac_srcdir_defaulted=yes - # Try the directory containing this script, then the parent directory. -- ac_confdir=`$as_dirname -- "$0" || --$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -- X"$0" : 'X\(//\)[^/]' \| \ -- X"$0" : 'X\(//\)$' \| \ -- X"$0" : 'X\(/\)' \| . 2>/dev/null || --echo X"$0" | -+ ac_confdir=`$as_dirname -- "$as_myself" || -+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -+ X"$as_myself" : 'X\(//\)[^/]' \| \ -+ X"$as_myself" : 'X\(//\)$' \| \ -+ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X"$as_myself" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q -@@ -1106,13 +1170,11 @@ - fi - if test ! -r "$srcdir/$ac_unique_file"; then - test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." -- { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 -- { (exit 1); exit 1; }; } -+ as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" - fi - ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" - ac_abs_confdir=`( -- cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2 -- { (exit 1); exit 1; }; } -+ cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" - pwd)` - # When building in place, set srcdir=. - if test "$ac_abs_confdir" = "$ac_pwd"; then -@@ -1152,7 +1214,7 @@ - --help=short display options specific to this package - --help=recursive display the short help of all the included packages - -V, --version display version information and exit -- -q, --quiet, --silent do not print \`checking...' messages -+ -q, --quiet, --silent do not print \`checking ...' messages - --cache-file=FILE cache test results in FILE [disabled] - -C, --config-cache alias for \`--cache-file=config.cache' - -n, --no-create do not create output files -@@ -1160,9 +1222,9 @@ - - Installation directories: - --prefix=PREFIX install architecture-independent files in PREFIX -- [$ac_default_prefix] -+ [$ac_default_prefix] - --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX -- [PREFIX] -+ [PREFIX] - - By default, \`make install' will install all the files in - \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify -@@ -1172,25 +1234,25 @@ - For better control, use the options below. - - Fine tuning of the installation directories: -- --bindir=DIR user executables [EPREFIX/bin] -- --sbindir=DIR system admin executables [EPREFIX/sbin] -- --libexecdir=DIR program executables [EPREFIX/libexec] -- --sysconfdir=DIR read-only single-machine data [PREFIX/etc] -- --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] -- --localstatedir=DIR modifiable single-machine data [PREFIX/var] -- --libdir=DIR object code libraries [EPREFIX/lib] -- --includedir=DIR C header files [PREFIX/include] -- --oldincludedir=DIR C header files for non-gcc [/usr/include] -- --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] -- --datadir=DIR read-only architecture-independent data [DATAROOTDIR] -- --infodir=DIR info documentation [DATAROOTDIR/info] -- --localedir=DIR locale-dependent data [DATAROOTDIR/locale] -- --mandir=DIR man documentation [DATAROOTDIR/man] -- --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] -- --htmldir=DIR html documentation [DOCDIR] -- --dvidir=DIR dvi documentation [DOCDIR] -- --pdfdir=DIR pdf documentation [DOCDIR] -- --psdir=DIR ps documentation [DOCDIR] -+ --bindir=DIR user executables [EPREFIX/bin] -+ --sbindir=DIR system admin executables [EPREFIX/sbin] -+ --libexecdir=DIR program executables [EPREFIX/libexec] -+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] -+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] -+ --localstatedir=DIR modifiable single-machine data [PREFIX/var] -+ --libdir=DIR object code libraries [EPREFIX/lib] -+ --includedir=DIR C header files [PREFIX/include] -+ --oldincludedir=DIR C header files for non-gcc [/usr/include] -+ --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] -+ --datadir=DIR read-only architecture-independent data [DATAROOTDIR] -+ --infodir=DIR info documentation [DATAROOTDIR/info] -+ --localedir=DIR locale-dependent data [DATAROOTDIR/locale] -+ --mandir=DIR man documentation [DATAROOTDIR/man] -+ --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] -+ --htmldir=DIR html documentation [DOCDIR] -+ --dvidir=DIR dvi documentation [DOCDIR] -+ --pdfdir=DIR pdf documentation [DOCDIR] -+ --psdir=DIR ps documentation [DOCDIR] - _ACEOF - - cat <<\_ACEOF -@@ -1207,12 +1269,14 @@ - LDFLAGS linker flags, e.g. -L if you have libraries in a - nonstandard directory - LIBS libraries to pass to the linker, e.g. -l -- CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if -+ CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if - you have headers in a nonstandard directory -+ CPP C preprocessor - - Use these variables to override the choices made by `configure' or to help - it to find libraries and programs with nonstandard names/locations. - -+Report bugs to the package provider. - _ACEOF - ac_status=$? - fi -@@ -1220,15 +1284,17 @@ - if test "$ac_init_help" = "recursive"; then - # If there are subdirs, report their specific --help. - for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue -- test -d "$ac_dir" || continue -+ test -d "$ac_dir" || -+ { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || -+ continue - ac_builddir=. - - case "$ac_dir" in - .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) -- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` -+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. -- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'` -+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; -@@ -1264,7 +1330,7 @@ - echo && - $SHELL "$ac_srcdir/configure" --help=recursive - else -- echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 -+ $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 - fi || ac_status=$? - cd "$ac_pwd" || { ac_status=$?; break; } - done -@@ -1274,21 +1340,305 @@ - if $ac_init_version; then - cat <<\_ACEOF - configure --generated by GNU Autoconf 2.61 -+generated by GNU Autoconf 2.67 - --Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, --2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. -+Copyright (C) 2010 Free Software Foundation, Inc. - This configure script is free software; the Free Software Foundation - gives unlimited permission to copy, distribute and modify it. - _ACEOF - exit - fi -+ -+## ------------------------ ## -+## Autoconf initialization. ## -+## ------------------------ ## -+ -+# ac_fn_c_try_compile LINENO -+# -------------------------- -+# Try to compile conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_compile () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext -+ if { { ac_try="$ac_compile" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_compile") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest.$ac_objext; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_compile -+ -+# ac_fn_c_try_link LINENO -+# ----------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_link () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext conftest$ac_exeext -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest$ac_exeext && { -+ test "$cross_compiling" = yes || -+ $as_test_x conftest$ac_exeext -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information -+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would -+ # interfere with the next link command; also delete a directory that is -+ # left behind by Apple's compiler. We do this before executing the actions. -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_link -+ -+# ac_fn_c_try_cpp LINENO -+# ---------------------- -+# Try to preprocess conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_cpp () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ if { { ac_try="$ac_cpp conftest.$ac_ext" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } > conftest.i && { -+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || -+ test ! -s conftest.err -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_cpp -+ -+# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES -+# ------------------------------------------------------- -+# Tests whether HEADER exists, giving a warning if it cannot be compiled using -+# the include files in INCLUDES and setting the cache variable VAR -+# accordingly. -+ac_fn_c_check_header_mongrel () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ if eval "test \"\${$3+set}\"" = set; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -+$as_echo_n "checking for $2... " >&6; } -+if eval "test \"\${$3+set}\"" = set; then : -+ $as_echo_n "(cached) " >&6 -+fi -+eval ac_res=\$$3 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -+$as_echo "$ac_res" >&6; } -+else -+ # Is the header compilable? -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 -+$as_echo_n "checking $2 usability... " >&6; } -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+$4 -+#include <$2> -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ ac_header_compiler=yes -+else -+ ac_header_compiler=no -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 -+$as_echo "$ac_header_compiler" >&6; } -+ -+# Is the header present? -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 -+$as_echo_n "checking $2 presence... " >&6; } -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include <$2> -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ ac_header_preproc=yes -+else -+ ac_header_preproc=no -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 -+$as_echo "$ac_header_preproc" >&6; } -+ -+# So? What about this header? -+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( -+ yes:no: ) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 -+$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -+ ;; -+ no:yes:* ) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 -+$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 -+$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 -+$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 -+$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -+$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -+ ;; -+esac -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -+$as_echo_n "checking for $2... " >&6; } -+if eval "test \"\${$3+set}\"" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ eval "$3=\$ac_header_compiler" -+fi -+eval ac_res=\$$3 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -+$as_echo "$ac_res" >&6; } -+fi -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ -+} # ac_fn_c_check_header_mongrel -+ -+# ac_fn_c_try_run LINENO -+# ---------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes -+# that executables *can* be run. -+ac_fn_c_try_run () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' -+ { { case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_try") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: program exited with status $ac_status" >&5 -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=$ac_status -+fi -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_run -+ -+# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES -+# ------------------------------------------------------- -+# Tests whether HEADER exists and can be compiled using the include files in -+# INCLUDES, setting the cache variable VAR accordingly. -+ac_fn_c_check_header_compile () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -+$as_echo_n "checking for $2... " >&6; } -+if eval "test \"\${$3+set}\"" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+$4 -+#include <$2> -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ eval "$3=yes" -+else -+ eval "$3=no" -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+fi -+eval ac_res=\$$3 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -+$as_echo "$ac_res" >&6; } -+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -+ -+} # ac_fn_c_check_header_compile - cat >config.log <<_ACEOF - This file contains any messages produced by compilers while - running configure, to aid debugging if configure makes a mistake. - - It was created by $as_me, which was --generated by GNU Autoconf 2.61. Invocation command line was -+generated by GNU Autoconf 2.67. Invocation command line was - - $ $0 $@ - -@@ -1324,8 +1674,8 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- echo "PATH: $as_dir" --done -+ $as_echo "PATH: $as_dir" -+ done - IFS=$as_save_IFS - - } >&5 -@@ -1359,12 +1709,12 @@ - | -silent | --silent | --silen | --sile | --sil) - continue ;; - *\'*) -- ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; -+ ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - case $ac_pass in -- 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;; -+ 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; - 2) -- ac_configure_args1="$ac_configure_args1 '$ac_arg'" -+ as_fn_append ac_configure_args1 " '$ac_arg'" - if test $ac_must_keep_next = true; then - ac_must_keep_next=false # Got value, back to normal. - else -@@ -1380,13 +1730,13 @@ - -* ) ac_must_keep_next=true ;; - esac - fi -- ac_configure_args="$ac_configure_args '$ac_arg'" -+ as_fn_append ac_configure_args " '$ac_arg'" - ;; - esac - done - done --$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; } --$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; } -+{ ac_configure_args0=; unset ac_configure_args0;} -+{ ac_configure_args1=; unset ac_configure_args1;} - - # When interrupted or exit'd, cleanup temporary files, and complete - # config.log. We remove comments because anyway the quotes in there -@@ -1398,11 +1748,9 @@ - { - echo - -- cat <<\_ASBOX --## ---------------- ## -+ $as_echo "## ---------------- ## - ## Cache variables. ## --## ---------------- ## --_ASBOX -+## ---------------- ##" - echo - # The following way of writing the cache mishandles newlines in values, - ( -@@ -1411,12 +1759,13 @@ - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( -- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 --echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; -+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( -- *) $as_unset $ac_var ;; -+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( -+ *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done -@@ -1435,128 +1784,136 @@ - ) - echo - -- cat <<\_ASBOX --## ----------------- ## -+ $as_echo "## ----------------- ## - ## Output variables. ## --## ----------------- ## --_ASBOX -+## ----------------- ##" - echo - for ac_var in $ac_subst_vars - do - eval ac_val=\$$ac_var - case $ac_val in -- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; -+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac -- echo "$ac_var='\''$ac_val'\''" -+ $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - - if test -n "$ac_subst_files"; then -- cat <<\_ASBOX --## ------------------- ## -+ $as_echo "## ------------------- ## - ## File substitutions. ## --## ------------------- ## --_ASBOX -+## ------------------- ##" - echo - for ac_var in $ac_subst_files - do - eval ac_val=\$$ac_var - case $ac_val in -- *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; -+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac -- echo "$ac_var='\''$ac_val'\''" -+ $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - fi - - if test -s confdefs.h; then -- cat <<\_ASBOX --## ----------- ## -+ $as_echo "## ----------- ## - ## confdefs.h. ## --## ----------- ## --_ASBOX -+## ----------- ##" - echo - cat confdefs.h - echo - fi - test "$ac_signal" != 0 && -- echo "$as_me: caught signal $ac_signal" -- echo "$as_me: exit $exit_status" -+ $as_echo "$as_me: caught signal $ac_signal" -+ $as_echo "$as_me: exit $exit_status" - } >&5 - rm -f core *.core core.conftest.* && - rm -f -r conftest* confdefs* conf$$* $ac_clean_files && - exit $exit_status - ' 0 - for ac_signal in 1 2 13 15; do -- trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal -+ trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal - done - ac_signal=0 - - # confdefs.h avoids OS command line length limits that DEFS can exceed. - rm -f -r conftest* confdefs.h - -+$as_echo "/* confdefs.h */" > confdefs.h -+ - # Predefined preprocessor variables. - - cat >>confdefs.h <<_ACEOF - #define PACKAGE_NAME "$PACKAGE_NAME" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_TARNAME "$PACKAGE_TARNAME" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_VERSION "$PACKAGE_VERSION" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_STRING "$PACKAGE_STRING" - _ACEOF - -- - cat >>confdefs.h <<_ACEOF - #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" - _ACEOF - -+cat >>confdefs.h <<_ACEOF -+#define PACKAGE_URL "$PACKAGE_URL" -+_ACEOF -+ - - # Let the site file select an alternate cache file if it wants to. --# Prefer explicitly selected file to automatically selected ones. -+# Prefer an explicitly selected file to automatically selected ones. -+ac_site_file1=NONE -+ac_site_file2=NONE - if test -n "$CONFIG_SITE"; then -- set x "$CONFIG_SITE" -+ # We do not want a PATH search for config.site. -+ case $CONFIG_SITE in #(( -+ -*) ac_site_file1=./$CONFIG_SITE;; -+ */*) ac_site_file1=$CONFIG_SITE;; -+ *) ac_site_file1=./$CONFIG_SITE;; -+ esac - elif test "x$prefix" != xNONE; then -- set x "$prefix/share/config.site" "$prefix/etc/config.site" -+ ac_site_file1=$prefix/share/config.site -+ ac_site_file2=$prefix/etc/config.site - else -- set x "$ac_default_prefix/share/config.site" \ -- "$ac_default_prefix/etc/config.site" -+ ac_site_file1=$ac_default_prefix/share/config.site -+ ac_site_file2=$ac_default_prefix/etc/config.site - fi --shift --for ac_site_file -+for ac_site_file in "$ac_site_file1" "$ac_site_file2" - do -- if test -r "$ac_site_file"; then -- { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 --echo "$as_me: loading site script $ac_site_file" >&6;} -+ test "x$ac_site_file" = xNONE && continue -+ if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 -+$as_echo "$as_me: loading site script $ac_site_file" >&6;} - sed 's/^/| /' "$ac_site_file" >&5 -- . "$ac_site_file" -+ . "$ac_site_file" \ -+ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "failed to load site script $ac_site_file -+See \`config.log' for more details" "$LINENO" 5 ; } - fi - done - - if test -r "$cache_file"; then -- # Some versions of bash will fail to source /dev/null (special -- # files actually), so we avoid doing that. -- if test -f "$cache_file"; then -- { echo "$as_me:$LINENO: loading cache $cache_file" >&5 --echo "$as_me: loading cache $cache_file" >&6;} -+ # Some versions of bash will fail to source /dev/null (special files -+ # actually), so we avoid doing that. DJGPP emulates it as a regular file. -+ if test /dev/null != "$cache_file" && test -f "$cache_file"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 -+$as_echo "$as_me: loading cache $cache_file" >&6;} - case $cache_file in - [\\/]* | ?:[\\/]* ) . "$cache_file";; - *) . "./$cache_file";; - esac - fi - else -- { echo "$as_me:$LINENO: creating cache $cache_file" >&5 --echo "$as_me: creating cache $cache_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 -+$as_echo "$as_me: creating cache $cache_file" >&6;} - >$cache_file - fi - -@@ -1570,60 +1927,56 @@ - eval ac_new_val=\$ac_env_${ac_var}_value - case $ac_old_set,$ac_new_set in - set,) -- { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 --echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,set) -- { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 --echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 -+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,);; - *) - if test "x$ac_old_val" != "x$ac_new_val"; then -- { echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 --echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} -- { echo "$as_me:$LINENO: former value: $ac_old_val" >&5 --echo "$as_me: former value: $ac_old_val" >&2;} -- { echo "$as_me:$LINENO: current value: $ac_new_val" >&5 --echo "$as_me: current value: $ac_new_val" >&2;} -- ac_cache_corrupted=: -+ # differences in whitespace do not lead to failure. -+ ac_old_val_w=`echo x $ac_old_val` -+ ac_new_val_w=`echo x $ac_new_val` -+ if test "$ac_old_val_w" != "$ac_new_val_w"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 -+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} -+ ac_cache_corrupted=: -+ else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 -+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} -+ eval $ac_var=\$ac_old_val -+ fi -+ { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 -+$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 -+$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} - fi;; - esac - # Pass precious variables to config.status. - if test "$ac_new_set" = set; then - case $ac_new_val in -- *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; -+ *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; - *) ac_arg=$ac_var=$ac_new_val ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. -- *) ac_configure_args="$ac_configure_args '$ac_arg'" ;; -+ *) as_fn_append ac_configure_args " '$ac_arg'" ;; - esac - fi - done - if $ac_cache_corrupted; then -- { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 --echo "$as_me: error: changes in the environment can compromise the build" >&2;} -- { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 --echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} -- { (exit 1); exit 1; }; } --fi -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 -+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} -+ as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 -+fi -+## -------------------- ## -+## Main body of script. ## -+## -------------------- ## - - ac_ext=c - ac_cpp='$CPP $CPPFLAGS' -@@ -1635,6 +1988,9 @@ - - - -+eap_tnc_cflags= -+eap_tnc_ldflags=-lnaaeap -+ - if test x$with_rlm_eap_tnc != xno; then - - ac_ext=c -@@ -1645,10 +2001,10 @@ - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. - set dummy ${ac_tool_prefix}gcc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1658,25 +2014,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CC="${ac_tool_prefix}gcc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1685,10 +2041,10 @@ - ac_ct_CC=$CC - # Extract the first word of "gcc", so it can be a program name with args. - set dummy gcc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_ac_ct_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -@@ -1698,25 +2054,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_CC="gcc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - ac_ct_CC=$ac_cv_prog_ac_ct_CC - if test -n "$ac_ct_CC"; then -- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 --echo "${ECHO_T}$ac_ct_CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -+$as_echo "$ac_ct_CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - if test "x$ac_ct_CC" = x; then -@@ -1724,12 +2080,8 @@ - else - case $cross_compiling:$ac_tool_warned in - yes:) --{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&5 --echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&2;} -+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} - ac_tool_warned=yes ;; - esac - CC=$ac_ct_CC -@@ -1742,10 +2094,10 @@ - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. - set dummy ${ac_tool_prefix}cc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1755,25 +2107,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CC="${ac_tool_prefix}cc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1782,10 +2134,10 @@ - if test -z "$CC"; then - # Extract the first word of "cc", so it can be a program name with args. - set dummy cc; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1796,18 +2148,18 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue - fi - ac_cv_prog_CC="cc" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - if test $ac_prog_rejected = yes; then -@@ -1826,11 +2178,11 @@ - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1841,10 +2193,10 @@ - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. - set dummy $ac_tool_prefix$ac_prog; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -@@ -1854,25 +2206,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CC="$ac_tool_prefix$ac_prog" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - CC=$ac_cv_prog_CC - if test -n "$CC"; then -- { echo "$as_me:$LINENO: result: $CC" >&5 --echo "${ECHO_T}$CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -+$as_echo "$CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1885,10 +2237,10 @@ - do - # Extract the first word of "$ac_prog", so it can be a program name with args. - set dummy $ac_prog; ac_word=$2 --{ echo "$as_me:$LINENO: checking for $ac_word" >&5 --echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } --if test "${ac_cv_prog_ac_ct_CC+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -@@ -1898,25 +2250,25 @@ - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -+ for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_CC="$ac_prog" -- echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi - done --done -+ done - IFS=$as_save_IFS - - fi - fi - ac_ct_CC=$ac_cv_prog_ac_ct_CC - if test -n "$ac_ct_CC"; then -- { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 --echo "${ECHO_T}$ac_ct_CC" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -+$as_echo "$ac_ct_CC" >&6; } - else -- { echo "$as_me:$LINENO: result: no" >&5 --echo "${ECHO_T}no" >&6; } -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } - fi - - -@@ -1928,12 +2280,8 @@ - else - case $cross_compiling:$ac_tool_warned in - yes:) --{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&5 --echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools --whose name does not start with the host triplet. If you think this --configuration is useful to you, please write to autoconf@gnu.org." >&2;} -+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} - ac_tool_warned=yes ;; - esac - CC=$ac_ct_CC -@@ -1943,51 +2291,37 @@ - fi - - --test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH --See \`config.log' for more details." >&5 --echo "$as_me: error: no acceptable C compiler found in \$PATH --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } -+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "no acceptable C compiler found in \$PATH -+See \`config.log' for more details" "$LINENO" 5 ; } - - # Provide some information about the compiler. --echo "$as_me:$LINENO: checking for C compiler version" >&5 --ac_compiler=`set X $ac_compile; echo $2` --{ (ac_try="$ac_compiler --version >&5" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compiler --version >&5") 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } --{ (ac_try="$ac_compiler -v >&5" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compiler -v >&5") 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } --{ (ac_try="$ac_compiler -V >&5" -+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 -+set X $ac_compile -+ac_compiler=$2 -+for ac_option in --version -v -V -qversion; do -+ { { ac_try="$ac_compiler $ac_option >&5" - case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compiler -V >&5") 2>&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_compiler $ac_option >&5") 2>conftest.err - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } -+ if test -s conftest.err; then -+ sed '10a\ -+... rest of stderr output deleted ... -+ 10q' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ fi -+ rm -f conftest.er1 conftest.err -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } -+done - --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -1999,42 +2333,38 @@ - } - _ACEOF - ac_clean_files_save=$ac_clean_files --ac_clean_files="$ac_clean_files a.out a.exe b.out" -+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" - # Try to create an executable without -o first, disregard a.out. - # It will help us diagnose broken compilers, and finding out an intuition - # of exeext. --{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 --echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; } --ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` --# --# List of possible output files, starting from the most likely. --# The algorithm is not robust to junk in `.', hence go to wildcards (a.*) --# only as a last resort. b.out is created by i960 compilers. --ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out' --# --# The IRIX 6 linker writes into existing files which may not be --# executable, retaining their permissions. Remove them first so a --# subsequent execution test works. -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 -+$as_echo_n "checking whether the C compiler works... " >&6; } -+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` -+ -+# The possible output files: -+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" -+ - ac_rmfiles= - for ac_file in $ac_files - do - case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;; -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - * ) ac_rmfiles="$ac_rmfiles $ac_file";; - esac - done - rm -f $ac_rmfiles - --if { (ac_try="$ac_link_default" -+if { { ac_try="$ac_link_default" - case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link_default") 2>&5 - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; then -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then : - # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. - # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' - # in a Makefile. We should not override ac_cv_exeext if it was cached, -@@ -2044,14 +2374,14 @@ - do - test -f "$ac_file" || continue - case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) - ;; - [ab].out ) - # We found the default executable, but exeext='' is most - # certainly right. - break;; - *.* ) -- if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; -+ if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; - then :; else - ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - fi -@@ -2070,116 +2400,132 @@ - else - ac_file='' - fi -- --{ echo "$as_me:$LINENO: result: $ac_file" >&5 --echo "${ECHO_T}$ac_file" >&6; } --if test -z "$ac_file"; then -- echo "$as_me: failed program was:" >&5 -+if test -z "$ac_file"; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+$as_echo "$as_me: failed program was:" >&5 - sed 's/^/| /' conftest.$ac_ext >&5 - --{ { echo "$as_me:$LINENO: error: C compiler cannot create executables --See \`config.log' for more details." >&5 --echo "$as_me: error: C compiler cannot create executables --See \`config.log' for more details." >&2;} -- { (exit 77); exit 77; }; } --fi -- -+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error 77 "C compiler cannot create executables -+See \`config.log' for more details" "$LINENO" 5 ; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 -+$as_echo_n "checking for C compiler default output file name... " >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 -+$as_echo "$ac_file" >&6; } - ac_exeext=$ac_cv_exeext - -+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out -+ac_clean_files=$ac_clean_files_save -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 -+$as_echo_n "checking for suffix of executables... " >&6; } -+if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then : -+ # If both `conftest.exe' and `conftest' are `present' (well, observable) -+# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will -+# work properly (i.e., refer to `conftest.exe'), while it won't with -+# `rm'. -+for ac_file in conftest.exe conftest conftest.*; do -+ test -f "$ac_file" || continue -+ case $ac_file in -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; -+ *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` -+ break;; -+ * ) break;; -+ esac -+done -+else -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "cannot compute suffix of executables: cannot compile and link -+See \`config.log' for more details" "$LINENO" 5 ; } -+fi -+rm -f conftest conftest$ac_cv_exeext -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 -+$as_echo "$ac_cv_exeext" >&6; } -+ -+rm -f conftest.$ac_ext -+EXEEXT=$ac_cv_exeext -+ac_exeext=$EXEEXT -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main () -+{ -+FILE *f = fopen ("conftest.out", "w"); -+ return ferror (f) || fclose (f) != 0; -+ -+ ; -+ return 0; -+} -+_ACEOF -+ac_clean_files="$ac_clean_files conftest.out" - # Check that the compiler produces executables we can run. If not, either - # the compiler is broken, or we cross compile. --{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5 --echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; } --# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 --# If not cross compiling, check that we can run a simple program. -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 -+$as_echo_n "checking whether we are cross compiling... " >&6; } - if test "$cross_compiling" != yes; then -- if { ac_try='./$ac_file' -- { (case "(($ac_try" in -+ { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } -+ if { ac_try='./conftest$ac_cv_exeext' -+ { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; }; then -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else -- { { echo "$as_me:$LINENO: error: cannot run C compiled programs. --If you meant to cross compile, use \`--host'. --See \`config.log' for more details." >&5 --echo "$as_me: error: cannot run C compiled programs. -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "cannot run C compiled programs. - If you meant to cross compile, use \`--host'. --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } -+See \`config.log' for more details" "$LINENO" 5 ; } - fi - fi - fi --{ echo "$as_me:$LINENO: result: yes" >&5 --echo "${ECHO_T}yes" >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 -+$as_echo "$cross_compiling" >&6; } - --rm -f a.out a.exe conftest$ac_cv_exeext b.out -+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out - ac_clean_files=$ac_clean_files_save --# Check that the compiler produces executables we can run. If not, either --# the compiler is broken, or we cross compile. --{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 --echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; } --{ echo "$as_me:$LINENO: result: $cross_compiling" >&5 --echo "${ECHO_T}$cross_compiling" >&6; } -- --{ echo "$as_me:$LINENO: checking for suffix of executables" >&5 --echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; } --if { (ac_try="$ac_link" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_link") 2>&5 -- ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; then -- # If both `conftest.exe' and `conftest' are `present' (well, observable) --# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will --# work properly (i.e., refer to `conftest.exe'), while it won't with --# `rm'. --for ac_file in conftest.exe conftest conftest.*; do -- test -f "$ac_file" || continue -- case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;; -- *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` -- break;; -- * ) break;; -- esac --done -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 -+$as_echo_n "checking for suffix of object files... " >&6; } -+if test "${ac_cv_objext+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else -- { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link --See \`config.log' for more details." >&5 --echo "$as_me: error: cannot compute suffix of executables: cannot compile and link --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } --fi -- --rm -f conftest$ac_cv_exeext --{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 --echo "${ECHO_T}$ac_cv_exeext" >&6; } -- --rm -f conftest.$ac_ext --EXEEXT=$ac_cv_exeext --ac_exeext=$EXEEXT --{ echo "$as_me:$LINENO: checking for suffix of object files" >&5 --echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; } --if test "${ac_cv_objext+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2191,51 +2537,46 @@ - } - _ACEOF - rm -f conftest.o conftest.obj --if { (ac_try="$ac_compile" -+if { { ac_try="$ac_compile" - case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; - esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>&5 - ac_status=$? -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); }; then -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then : - for ac_file in conftest.o conftest.obj conftest.*; do - test -f "$ac_file" || continue; - case $ac_file in -- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;; -+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; - *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` - break;; - esac - done - else -- echo "$as_me: failed program was:" >&5 -+ $as_echo "$as_me: failed program was:" >&5 - sed 's/^/| /' conftest.$ac_ext >&5 - --{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile --See \`config.log' for more details." >&5 --echo "$as_me: error: cannot compute suffix of object files: cannot compile --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } -+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "cannot compute suffix of object files: cannot compile -+See \`config.log' for more details" "$LINENO" 5 ; } - fi -- - rm -f conftest.$ac_cv_objext conftest.$ac_ext - fi --{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 --echo "${ECHO_T}$ac_cv_objext" >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 -+$as_echo "$ac_cv_objext" >&6; } - OBJEXT=$ac_cv_objext - ac_objext=$OBJEXT --{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 --echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; } --if test "${ac_cv_c_compiler_gnu+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 -+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } -+if test "${ac_cv_c_compiler_gnu+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2249,54 +2590,34 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+if ac_fn_c_try_compile "$LINENO"; then : - ac_compiler_gnu=yes - else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- ac_compiler_gnu=no -+ ac_compiler_gnu=no - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_cv_c_compiler_gnu=$ac_compiler_gnu - - fi --{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 --echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; } --GCC=`test $ac_compiler_gnu = yes && echo yes` -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 -+$as_echo "$ac_cv_c_compiler_gnu" >&6; } -+if test $ac_compiler_gnu = yes; then -+ GCC=yes -+else -+ GCC= -+fi - ac_test_CFLAGS=${CFLAGS+set} - ac_save_CFLAGS=$CFLAGS --{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 --echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; } --if test "${ac_cv_prog_cc_g+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 -+$as_echo_n "checking whether $CC accepts -g... " >&6; } -+if test "${ac_cv_prog_cc_g+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - ac_save_c_werror_flag=$ac_c_werror_flag - ac_c_werror_flag=yes - ac_cv_prog_cc_g=no - CFLAGS="-g" -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2307,34 +2628,11 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_g=yes - else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- CFLAGS="" -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ CFLAGS="" -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2345,35 +2643,12 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -- : --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -+if ac_fn_c_try_compile "$LINENO"; then : - -- ac_c_werror_flag=$ac_save_c_werror_flag -+else -+ ac_c_werror_flag=$ac_save_c_werror_flag - CFLAGS="-g" -- cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - - int -@@ -2384,42 +2659,18 @@ - return 0; - } - _ACEOF --rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_g=yes --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi -- - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_c_werror_flag=$ac_save_c_werror_flag - fi --{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 --echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 -+$as_echo "$ac_cv_prog_cc_g" >&6; } - if test "$ac_test_CFLAGS" = set; then - CFLAGS=$ac_save_CFLAGS - elif test $ac_cv_prog_cc_g = yes; then -@@ -2435,18 +2686,14 @@ - CFLAGS= - fi - fi --{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 --echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; } --if test "${ac_cv_prog_cc_c89+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 -+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -+if test "${ac_cv_prog_cc_c89+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - ac_cv_prog_cc_c89=no - ac_save_CC=$CC --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ --_ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - #include - #include -@@ -2503,31 +2750,9 @@ - -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" - do - CC="$ac_save_CC $ac_arg" -- rm -f conftest.$ac_objext --if { (ac_try="$ac_compile" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_compile") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest.$ac_objext; then -+ if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_c89=$ac_arg --else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -- -- - fi -- - rm -f core conftest.err conftest.$ac_objext - test "x$ac_cv_prog_cc_c89" != "xno" && break - done -@@ -2538,17 +2763,19 @@ - # AC_CACHE_VAL - case "x$ac_cv_prog_cc_c89" in - x) -- { echo "$as_me:$LINENO: result: none needed" >&5 --echo "${ECHO_T}none needed" >&6; } ;; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 -+$as_echo "none needed" >&6; } ;; - xno) -- { echo "$as_me:$LINENO: result: unsupported" >&5 --echo "${ECHO_T}unsupported" >&6; } ;; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 -+$as_echo "unsupported" >&6; } ;; - *) - CC="$CC $ac_cv_prog_cc_c89" -- { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 --echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 -+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; - esac -+if test "x$ac_cv_prog_cc_c89" != xno; then : - -+fi - - ac_ext=c - ac_cpp='$CPP $CPPFLAGS' -@@ -2557,81 +2784,474 @@ - ac_compiler_gnu=$ac_cv_c_compiler_gnu - - -- --{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5 --echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; } --if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5 -+$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; } -+if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then : -+ $as_echo_n "(cached) " >&6 - else - ac_check_lib_save_LIBS=$LIBS --LIBS="-lTNCS $LIBS" --cat >conftest.$ac_ext <<_ACEOF --/* confdefs.h. */ -+LIBS="-lnaaeap $LIBS" -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char processEAPTNCData (); -+int -+main () -+{ -+return processEAPTNCData (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ ac_cv_lib_naaeap_processEAPTNCData=yes -+else -+ ac_cv_lib_naaeap_processEAPTNCData=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+LIBS=$ac_check_lib_save_LIBS -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5 -+$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; } -+if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then : -+ cat >>confdefs.h <<_ACEOF -+#define HAVE_LIBNAAEAP 1 -+_ACEOF -+ -+ LIBS="-lnaaeap $LIBS" -+ -+else -+ fail="$fail -lnaaeap" -+fi -+ -+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5 -+$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;} -+ fail="$fail -lNAAEAP" -+ fi -+ -+ ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 -+$as_echo_n "checking how to run the C preprocessor... " >&6; } -+# On Suns, sometimes $CPP names a directory. -+if test -n "$CPP" && test -d "$CPP"; then -+ CPP= -+fi -+if test -z "$CPP"; then -+ if test "${ac_cv_prog_CPP+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ # Double quotes because CPP needs to be expanded -+ for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" -+ do -+ ac_preproc_ok=false -+for ac_c_preproc_warn_flag in '' yes -+do -+ # Use a header file that comes with gcc, so configuring glibc -+ # with a fresh cross-compiler works. -+ # Prefer to if __STDC__ is defined, since -+ # exists even on freestanding compilers. -+ # On the NeXT, cc -E runs the code through the compiler's parser, -+ # not just through cpp. "Syntax error" is here to catch this case. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#ifdef __STDC__ -+# include -+#else -+# include -+#endif -+ Syntax error -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ -+else -+ # Broken: fails on valid input. -+continue -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+ # OK, works on sane cases. Now check whether nonexistent headers -+ # can be detected and how. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ # Broken: success on invalid input. -+continue -+else -+ # Passes both tests. -+ac_preproc_ok=: -+break -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+done -+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -+rm -f conftest.i conftest.err conftest.$ac_ext -+if $ac_preproc_ok; then : -+ break -+fi -+ -+ done -+ ac_cv_prog_CPP=$CPP -+ -+fi -+ CPP=$ac_cv_prog_CPP -+else -+ ac_cv_prog_CPP=$CPP -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 -+$as_echo "$CPP" >&6; } -+ac_preproc_ok=false -+for ac_c_preproc_warn_flag in '' yes -+do -+ # Use a header file that comes with gcc, so configuring glibc -+ # with a fresh cross-compiler works. -+ # Prefer to if __STDC__ is defined, since -+ # exists even on freestanding compilers. -+ # On the NeXT, cc -E runs the code through the compiler's parser, -+ # not just through cpp. "Syntax error" is here to catch this case. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#ifdef __STDC__ -+# include -+#else -+# include -+#endif -+ Syntax error -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ -+else -+ # Broken: fails on valid input. -+continue -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+ # OK, works on sane cases. Now check whether nonexistent headers -+ # can be detected and how. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+_ACEOF -+if ac_fn_c_try_cpp "$LINENO"; then : -+ # Broken: success on invalid input. -+continue -+else -+ # Passes both tests. -+ac_preproc_ok=: -+break -+fi -+rm -f conftest.err conftest.i conftest.$ac_ext -+ -+done -+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -+rm -f conftest.i conftest.err conftest.$ac_ext -+if $ac_preproc_ok; then : -+ -+else -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check -+See \`config.log' for more details" "$LINENO" 5 ; } -+fi -+ -+ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+ -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 -+$as_echo_n "checking for grep that handles long lines and -e... " >&6; } -+if test "${ac_cv_path_GREP+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ if test -z "$GREP"; then -+ ac_path_GREP_found=false -+ # Loop through the user's path and test for each of PROGNAME-LIST -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_prog in grep ggrep; do -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" -+ { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue -+# Check for GNU ac_path_GREP and select it if it is found. -+ # Check for GNU $ac_path_GREP -+case `"$ac_path_GREP" --version 2>&1` in -+*GNU*) -+ ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; -+*) -+ ac_count=0 -+ $as_echo_n 0123456789 >"conftest.in" -+ while : -+ do -+ cat "conftest.in" "conftest.in" >"conftest.tmp" -+ mv "conftest.tmp" "conftest.in" -+ cp "conftest.in" "conftest.nl" -+ $as_echo 'GREP' >> "conftest.nl" -+ "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break -+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break -+ as_fn_arith $ac_count + 1 && ac_count=$as_val -+ if test $ac_count -gt ${ac_path_GREP_max-0}; then -+ # Best one so far, save it but keep looking for a better one -+ ac_cv_path_GREP="$ac_path_GREP" -+ ac_path_GREP_max=$ac_count -+ fi -+ # 10*(2^10) chars as input seems more than enough -+ test $ac_count -gt 10 && break -+ done -+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -+esac -+ -+ $ac_path_GREP_found && break 3 -+ done -+ done -+ done -+IFS=$as_save_IFS -+ if test -z "$ac_cv_path_GREP"; then -+ as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 -+ fi -+else -+ ac_cv_path_GREP=$GREP -+fi -+ -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 -+$as_echo "$ac_cv_path_GREP" >&6; } -+ GREP="$ac_cv_path_GREP" -+ -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 -+$as_echo_n "checking for egrep... " >&6; } -+if test "${ac_cv_path_EGREP+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 -+ then ac_cv_path_EGREP="$GREP -E" -+ else -+ if test -z "$EGREP"; then -+ ac_path_EGREP_found=false -+ # Loop through the user's path and test for each of PROGNAME-LIST -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_prog in egrep; do -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" -+ { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue -+# Check for GNU ac_path_EGREP and select it if it is found. -+ # Check for GNU $ac_path_EGREP -+case `"$ac_path_EGREP" --version 2>&1` in -+*GNU*) -+ ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; -+*) -+ ac_count=0 -+ $as_echo_n 0123456789 >"conftest.in" -+ while : -+ do -+ cat "conftest.in" "conftest.in" >"conftest.tmp" -+ mv "conftest.tmp" "conftest.in" -+ cp "conftest.in" "conftest.nl" -+ $as_echo 'EGREP' >> "conftest.nl" -+ "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break -+ diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break -+ as_fn_arith $ac_count + 1 && ac_count=$as_val -+ if test $ac_count -gt ${ac_path_EGREP_max-0}; then -+ # Best one so far, save it but keep looking for a better one -+ ac_cv_path_EGREP="$ac_path_EGREP" -+ ac_path_EGREP_max=$ac_count -+ fi -+ # 10*(2^10) chars as input seems more than enough -+ test $ac_count -gt 10 && break -+ done -+ rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -+esac -+ -+ $ac_path_EGREP_found && break 3 -+ done -+ done -+ done -+IFS=$as_save_IFS -+ if test -z "$ac_cv_path_EGREP"; then -+ as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 -+ fi -+else -+ ac_cv_path_EGREP=$EGREP -+fi -+ -+ fi -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 -+$as_echo "$ac_cv_path_EGREP" >&6; } -+ EGREP="$ac_cv_path_EGREP" -+ -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 -+$as_echo_n "checking for ANSI C header files... " >&6; } -+if test "${ac_cv_header_stdc+set}" = set; then : -+ $as_echo_n "(cached) " >&6 -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+#include -+#include -+#include -+ -+int -+main () -+{ -+ -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ ac_cv_header_stdc=yes -+else -+ ac_cv_header_stdc=no -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+ -+if test $ac_cv_header_stdc = yes; then -+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+ - _ACEOF --cat confdefs.h >>conftest.$ac_ext --cat >>conftest.$ac_ext <<_ACEOF -+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | -+ $EGREP "memchr" >/dev/null 2>&1; then : -+ -+else -+ ac_cv_header_stdc=no -+fi -+rm -f conftest* -+ -+fi -+ -+if test $ac_cv_header_stdc = yes; then -+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+ -+_ACEOF -+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | -+ $EGREP "free" >/dev/null 2>&1; then : -+ -+else -+ ac_cv_header_stdc=no -+fi -+rm -f conftest* -+ -+fi -+ -+if test $ac_cv_header_stdc = yes; then -+ # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. -+ if test "$cross_compiling" = yes; then : -+ : -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ -- --/* Override any GCC internal prototype to avoid an error. -- Use char because int might match the return type of a GCC -- builtin and then its argument prototype would still apply. */ --#ifdef __cplusplus --extern "C" -+#include -+#include -+#if ((' ' & 0x0FF) == 0x020) -+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -+#else -+# define ISLOWER(c) \ -+ (('a' <= (c) && (c) <= 'i') \ -+ || ('j' <= (c) && (c) <= 'r') \ -+ || ('s' <= (c) && (c) <= 'z')) -+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) - #endif --char exchangeTNCCSMessages (); -+ -+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) - int - main () - { --return exchangeTNCCSMessages (); -- ; -+ int i; -+ for (i = 0; i < 256; i++) -+ if (XOR (islower (i), ISLOWER (i)) -+ || toupper (i) != TOUPPER (i)) -+ return 2; - return 0; - } - _ACEOF --rm -f conftest.$ac_objext conftest$ac_exeext --if { (ac_try="$ac_link" --case "(($ac_try" in -- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -- *) ac_try_echo=$ac_try;; --esac --eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -- (eval "$ac_link") 2>conftest.er1 -- ac_status=$? -- grep -v '^ *+' conftest.er1 >conftest.err -- rm -f conftest.er1 -- cat conftest.err >&5 -- echo "$as_me:$LINENO: \$? = $ac_status" >&5 -- (exit $ac_status); } && { -- test -z "$ac_c_werror_flag" || -- test ! -s conftest.err -- } && test -s conftest$ac_exeext && -- $as_test_x conftest$ac_exeext; then -- ac_cv_lib_TNCS_exchangeTNCCSMessages=yes -+if ac_fn_c_try_run "$LINENO"; then : -+ - else -- echo "$as_me: failed program was:" >&5 --sed 's/^/| /' conftest.$ac_ext >&5 -+ ac_cv_header_stdc=no -+fi -+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ -+ conftest.$ac_objext conftest.beam conftest.$ac_ext -+fi - -- ac_cv_lib_TNCS_exchangeTNCCSMessages=no - fi -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 -+$as_echo "$ac_cv_header_stdc" >&6; } -+if test $ac_cv_header_stdc = yes; then -+ -+$as_echo "#define STDC_HEADERS 1" >>confdefs.h - --rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ -- conftest$ac_exeext conftest.$ac_ext --LIBS=$ac_check_lib_save_LIBS - fi --{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5 --echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; } --if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then -+ -+# On IRIX 5.3, sys/types and inttypes.h are conflicting. -+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ -+ inttypes.h stdint.h unistd.h -+do : -+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default -+" -+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF --#define HAVE_LIBTNCS 1 -+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 - _ACEOF - -- LIBS="-lTNCS $LIBS" -+fi -+ -+done -+ -+ -+for ac_header in naaeap/naaeap.h -+do : -+ ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default" -+if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then : -+ cat >>confdefs.h <<_ACEOF -+#define HAVE_NAAEAP_NAAEAP_H 1 -+_ACEOF - -+else -+ fail="$fail -Inaaeap.h" - fi - -- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then -- { echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5 --echo "$as_me: WARNING: the TNCS library isn't found!" >&2;} -- fail="$fail -lTNCS" -+done -+ -+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5 -+$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;} -+ fail="$fail -Inaaeap.h" - fi - - targetname=rlm_eap_tnc -@@ -2642,14 +3262,12 @@ - - if test x"$fail" != x""; then - if test x"${enable_strict_dependencies}" = x"yes"; then -- { { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5 --echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;} -- { (exit 1); exit 1; }; } -+ as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5 - else -- { echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5 --echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;} -- { echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5 --echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;}; -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5 -+$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5 -+$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;}; - targetname="" - fi - fi -@@ -2658,11 +3276,7 @@ - - - -- -- unset ac_cv_env_LIBS_set -- unset ac_cv_env_LIBS_value -- -- ac_config_files="$ac_config_files Makefile" -+ac_config_files="$ac_config_files Makefile" - - cat >confcache <<\_ACEOF - # This file is a shell script that caches the results of configure -@@ -2691,12 +3305,13 @@ - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( -- *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 --echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; -+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( -- *) $as_unset $ac_var ;; -+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( -+ *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done -@@ -2704,8 +3319,8 @@ - (set) 2>&1 | - case $as_nl`(ac_space=' '; set) 2>&1` in #( - *${as_nl}ac_space=\ *) -- # `set' does not quote correctly, so add quotes (double-quote -- # substitution turns \\\\ into \\, and sed turns \\ into \). -+ # `set' does not quote correctly, so add quotes: double-quote -+ # substitution turns \\\\ into \\, and sed turns \\ into \. - sed -n \ - "s/'/'\\\\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" -@@ -2728,12 +3343,12 @@ - if diff "$cache_file" confcache >/dev/null 2>&1; then :; else - if test -w "$cache_file"; then - test "x$cache_file" != "x/dev/null" && -- { echo "$as_me:$LINENO: updating cache $cache_file" >&5 --echo "$as_me: updating cache $cache_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 -+$as_echo "$as_me: updating cache $cache_file" >&6;} - cat confcache >$cache_file - else -- { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5 --echo "$as_me: not updating unwritable cache $cache_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 -+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} - fi - fi - rm -f confcache -@@ -2750,6 +3365,12 @@ - # take arguments), then branch to the quote section. Otherwise, - # look for a macro that doesn't take arguments. - ac_script=' -+:mline -+/\\$/{ -+ N -+ s,\\\n,, -+ b mline -+} - t clear - :clear - s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g -@@ -2776,14 +3397,15 @@ - - ac_libobjs= - ac_ltlibobjs= -+U= - for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue - # 1. Remove the extension, and $U if already installed. - ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' -- ac_i=`echo "$ac_i" | sed "$ac_script"` -+ ac_i=`$as_echo "$ac_i" | sed "$ac_script"` - # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR - # will be set to the directory where LIBOBJS objects are built. -- ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext" -- ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo' -+ as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" -+ as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' - done - LIBOBJS=$ac_libobjs - -@@ -2792,11 +3414,13 @@ - - - : ${CONFIG_STATUS=./config.status} -+ac_write_fail=0 - ac_clean_files_save=$ac_clean_files - ac_clean_files="$ac_clean_files $CONFIG_STATUS" --{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5 --echo "$as_me: creating $CONFIG_STATUS" >&6;} --cat >$CONFIG_STATUS <<_ACEOF -+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 -+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} -+as_write_fail=0 -+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 - #! $SHELL - # Generated by $as_me. - # Run this file to recreate the current configuration. -@@ -2806,59 +3430,79 @@ - debug=false - ac_cs_recheck=false - ac_cs_silent=false --SHELL=\${CONFIG_SHELL-$SHELL} --_ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF --## --------------------- ## --## M4sh Initialization. ## --## --------------------- ## -+SHELL=\${CONFIG_SHELL-$SHELL} -+export SHELL -+_ASEOF -+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 -+## -------------------- ## -+## M4sh Initialization. ## -+## -------------------- ## - - # Be more Bourne compatible - DUALCASE=1; export DUALCASE # for MKS sh --if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then -+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: -- # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which -+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST - else -- case `(set -o) 2>/dev/null` in -- *posix*) set -o posix ;; -+ case `(set -o) 2>/dev/null` in #( -+ *posix*) : -+ set -o posix ;; #( -+ *) : -+ ;; - esac -- - fi - - -- -- --# PATH needs CR --# Avoid depending upon Character Ranges. --as_cr_letters='abcdefghijklmnopqrstuvwxyz' --as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' --as_cr_Letters=$as_cr_letters$as_cr_LETTERS --as_cr_digits='0123456789' --as_cr_alnum=$as_cr_Letters$as_cr_digits -- --# The user is always right. --if test "${PATH_SEPARATOR+set}" != set; then -- echo "#! /bin/sh" >conf$$.sh -- echo "exit 0" >>conf$$.sh -- chmod +x conf$$.sh -- if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then -- PATH_SEPARATOR=';' -+as_nl=' -+' -+export as_nl -+# Printing a long string crashes Solaris 7 /usr/bin/printf. -+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo -+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -+# Prefer a ksh shell builtin over an external printf program on Solaris, -+# but without wasting forks for bash or zsh. -+if test -z "$BASH_VERSION$ZSH_VERSION" \ -+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='print -r --' -+ as_echo_n='print -rn --' -+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then -+ as_echo='printf %s\n' -+ as_echo_n='printf %s' -+else -+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then -+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' -+ as_echo_n='/usr/ucb/echo -n' - else -- PATH_SEPARATOR=: -+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' -+ as_echo_n_body='eval -+ arg=$1; -+ case $arg in #( -+ *"$as_nl"*) -+ expr "X$arg" : "X\\(.*\\)$as_nl"; -+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; -+ esac; -+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" -+ ' -+ export as_echo_n_body -+ as_echo_n='sh -c $as_echo_n_body as_echo' - fi -- rm -f conf$$.sh -+ export as_echo_body -+ as_echo='sh -c $as_echo_body as_echo' - fi - --# Support unset when possible. --if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then -- as_unset=unset --else -- as_unset=false -+# The user is always right. -+if test "${PATH_SEPARATOR+set}" != set; then -+ PATH_SEPARATOR=: -+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { -+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || -+ PATH_SEPARATOR=';' -+ } - fi - - -@@ -2867,20 +3511,18 @@ - # there to prevent editors from complaining about space-tab. - # (If _AS_PATH_WALK were called with IFS unset, it would disable word - # splitting by setting IFS to empty value.) --as_nl=' --' - IFS=" "" $as_nl" - - # Find who we are. Look in the path if we contain no directory separator. --case $0 in -+case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR - for as_dir in $PATH - do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. -- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break --done -+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -+ done - IFS=$as_save_IFS - - ;; -@@ -2891,32 +3533,111 @@ - as_myself=$0 - fi - if test ! -f "$as_myself"; then -- echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -- { (exit 1); exit 1; } -+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 -+ exit 1 - fi - --# Work around bugs in pre-3.0 UWIN ksh. --for as_var in ENV MAIL MAILPATH --do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -+# Unset variables that we do not need and which cause bugs (e.g. in -+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -+# suppresses any "Segmentation fault" message there. '((' could -+# trigger a bug in pdksh 5.2.14. -+for as_var in BASH_ENV ENV MAIL MAILPATH -+do eval test x\${$as_var+set} = xset \ -+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : - done - PS1='$ ' - PS2='> ' - PS4='+ ' - - # NLS nuisances. --for as_var in \ -- LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \ -- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \ -- LC_TELEPHONE LC_TIME --do -- if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then -- eval $as_var=C; export $as_var -- else -- ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var -+LC_ALL=C -+export LC_ALL -+LANGUAGE=C -+export LANGUAGE -+ -+# CDPATH. -+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH -+ -+ -+# as_fn_error STATUS ERROR [LINENO LOG_FD] -+# ---------------------------------------- -+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -+# script with STATUS, using 1 if that was 0. -+as_fn_error () -+{ -+ as_status=$1; test $as_status -eq 0 && as_status=1 -+ if test "$4"; then -+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi --done -+ $as_echo "$as_me: error: $2" >&2 -+ as_fn_exit $as_status -+} # as_fn_error -+ -+ -+# as_fn_set_status STATUS -+# ----------------------- -+# Set $? to STATUS, without forking. -+as_fn_set_status () -+{ -+ return $1 -+} # as_fn_set_status -+ -+# as_fn_exit STATUS -+# ----------------- -+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -+as_fn_exit () -+{ -+ set +e -+ as_fn_set_status $1 -+ exit $1 -+} # as_fn_exit -+ -+# as_fn_unset VAR -+# --------------- -+# Portably unset VAR. -+as_fn_unset () -+{ -+ { eval $1=; unset $1;} -+} -+as_unset=as_fn_unset -+# as_fn_append VAR VALUE -+# ---------------------- -+# Append the text in VALUE to the end of the definition contained in VAR. Take -+# advantage of any shell optimizations that allow amortized linear growth over -+# repeated appends, instead of the typical quadratic growth present in naive -+# implementations. -+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : -+ eval 'as_fn_append () -+ { -+ eval $1+=\$2 -+ }' -+else -+ as_fn_append () -+ { -+ eval $1=\$$1\$2 -+ } -+fi # as_fn_append -+ -+# as_fn_arith ARG... -+# ------------------ -+# Perform arithmetic evaluation on the ARGs, and store the result in the -+# global $as_val. Take advantage of shells that can avoid forks. The arguments -+# must be portable across $(()) and expr. -+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : -+ eval 'as_fn_arith () -+ { -+ as_val=$(( $* )) -+ }' -+else -+ as_fn_arith () -+ { -+ as_val=`expr "$@" || test $? -eq 1` -+ } -+fi # as_fn_arith -+ - --# Required to use basename. - if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -@@ -2930,13 +3651,17 @@ - as_basename=false - fi - -+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -+ as_dirname=dirname -+else -+ as_dirname=false -+fi - --# Name of the executable. - as_me=`$as_basename -- "$0" || - $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || --echo X/"$0" | -+$as_echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q -@@ -2951,104 +3676,103 @@ - } - s/.*/./; q'` - --# CDPATH. --$as_unset CDPATH -- -- -- -- as_lineno_1=$LINENO -- as_lineno_2=$LINENO -- test "x$as_lineno_1" != "x$as_lineno_2" && -- test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { -- -- # Create $as_me.lineno as a copy of $as_myself, but with $LINENO -- # uniformly replaced by the line number. The first 'sed' inserts a -- # line-number line after each line using $LINENO; the second 'sed' -- # does the real work. The second script uses 'N' to pair each -- # line-number line with the line containing $LINENO, and appends -- # trailing '-' during substitution so that $LINENO is not a special -- # case at line end. -- # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the -- # scripts with optimization help from Paolo Bonzini. Blame Lee -- # E. McMahon (1931-1989) for sed's syntax. :-) -- sed -n ' -- p -- /[$]LINENO/= -- ' <$as_myself | -- sed ' -- s/[$]LINENO.*/&-/ -- t lineno -- b -- :lineno -- N -- :loop -- s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ -- t loop -- s/-\n.*// -- ' >$as_me.lineno && -- chmod +x "$as_me.lineno" || -- { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 -- { (exit 1); exit 1; }; } -- -- # Don't try to exec as it changes $[0], causing all sort of problems -- # (the dirname of $[0] is not the place where we might find the -- # original and so on. Autoconf is especially sensitive to this). -- . "./$as_me.lineno" -- # Exit status is that of the last command. -- exit --} -- -- --if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then -- as_dirname=dirname --else -- as_dirname=false --fi -+# Avoid depending upon Character Ranges. -+as_cr_letters='abcdefghijklmnopqrstuvwxyz' -+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -+as_cr_Letters=$as_cr_letters$as_cr_LETTERS -+as_cr_digits='0123456789' -+as_cr_alnum=$as_cr_Letters$as_cr_digits - - ECHO_C= ECHO_N= ECHO_T= --case `echo -n x` in -+case `echo -n x` in #((((( - -n*) -- case `echo 'x\c'` in -+ case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. -- *) ECHO_C='\c';; -+ xy) ECHO_C='\c';; -+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null -+ ECHO_T=' ';; - esac;; - *) - ECHO_N='-n';; - esac - --if expr a : '\(a\)' >/dev/null 2>&1 && -- test "X`expr 00001 : '.*\(...\)'`" = X001; then -- as_expr=expr --else -- as_expr=false --fi -- - rm -f conf$$ conf$$.exe conf$$.file - if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file - else - rm -f conf$$.dir -- mkdir conf$$.dir -+ mkdir conf$$.dir 2>/dev/null - fi --echo >conf$$.file --if ln -s conf$$.file conf$$ 2>/dev/null; then -- as_ln_s='ln -s' -- # ... but there are two gotchas: -- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -- # In both cases, we have to default to `cp -p'. -- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+if (echo >conf$$.file) 2>/dev/null; then -+ if ln -s conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s='ln -s' -+ # ... but there are two gotchas: -+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. -+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -+ # In both cases, we have to default to `cp -p'. -+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -+ as_ln_s='cp -p' -+ elif ln conf$$.file conf$$ 2>/dev/null; then -+ as_ln_s=ln -+ else - as_ln_s='cp -p' --elif ln conf$$.file conf$$ 2>/dev/null; then -- as_ln_s=ln -+ fi - else - as_ln_s='cp -p' - fi - rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file - rmdir conf$$.dir 2>/dev/null - -+ -+# as_fn_mkdir_p -+# ------------- -+# Create "$as_dir" as a directory, including parents if necessary. -+as_fn_mkdir_p () -+{ -+ -+ case $as_dir in #( -+ -*) as_dir=./$as_dir;; -+ esac -+ test -d "$as_dir" || eval $as_mkdir_p || { -+ as_dirs= -+ while :; do -+ case $as_dir in #( -+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( -+ *) as_qdir=$as_dir;; -+ esac -+ as_dirs="'$as_qdir' $as_dirs" -+ as_dir=`$as_dirname -- "$as_dir" || -+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -+ X"$as_dir" : 'X\(//\)[^/]' \| \ -+ X"$as_dir" : 'X\(//\)$' \| \ -+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -+$as_echo X"$as_dir" | -+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)[^/].*/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\/\)$/{ -+ s//\1/ -+ q -+ } -+ /^X\(\/\).*/{ -+ s//\1/ -+ q -+ } -+ s/.*/./; q'` -+ test -d "$as_dir" && break -+ done -+ test -z "$as_dirs" || eval "mkdir $as_dirs" -+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" -+ -+ -+} # as_fn_mkdir_p - if mkdir -p . 2>/dev/null; then -- as_mkdir_p=: -+ as_mkdir_p='mkdir -p "$as_dir"' - else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -@@ -3065,12 +3789,12 @@ - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then -- test -d "$1/."; -+ test -d "$1/."; - else -- case $1 in -- -*)set "./$1";; -+ case $1 in #( -+ -*)set "./$1";; - esac; -- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in -+ case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -@@ -3085,13 +3809,19 @@ - - - exec 6>&1 -+## ----------------------------------- ## -+## Main body of $CONFIG_STATUS script. ## -+## ----------------------------------- ## -+_ASEOF -+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 - --# Save the log message, to keep $[0] and so on meaningful, and to -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -+# Save the log message, to keep $0 and so on meaningful, and to - # report actual input values of CONFIG_FILES etc. instead of their - # values after options handling. - ac_log=" - This file was extended by $as_me, which was --generated by GNU Autoconf 2.61. Invocation command line was -+generated by GNU Autoconf 2.67. Invocation command line was - - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS -@@ -3104,59 +3834,74 @@ - - _ACEOF - --cat >>$CONFIG_STATUS <<_ACEOF -+case $ac_config_files in *" -+"*) set x $ac_config_files; shift; ac_config_files=$*;; -+esac -+ -+ -+ -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - # Files that config.status was made for. - config_files="$ac_config_files" - - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - ac_cs_usage="\ --\`$as_me' instantiates files from templates according to the --current configuration. -+\`$as_me' instantiates files and other configuration actions -+from templates according to the current configuration. Unless the files -+and actions are specified as TAGs, all are instantiated by default. - --Usage: $0 [OPTIONS] [FILE]... -+Usage: $0 [OPTION]... [TAG]... - - -h, --help print this help, then exit - -V, --version print version number and configuration settings, then exit -- -q, --quiet do not print progress messages -+ --config print configuration, then exit -+ -q, --quiet, --silent -+ do not print progress messages - -d, --debug don't remove temporary files - --recheck update $as_me by reconfiguring in the same conditions -- --file=FILE[:TEMPLATE] -- instantiate the configuration file FILE -+ --file=FILE[:TEMPLATE] -+ instantiate the configuration file FILE - - Configuration files: - $config_files - --Report bugs to ." -+Report bugs to the package provider." - - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" - ac_cs_version="\\ - config.status --configured by $0, generated by GNU Autoconf 2.61, -- with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" -+configured by $0, generated by GNU Autoconf 2.67, -+ with options \\"\$ac_cs_config\\" - --Copyright (C) 2006 Free Software Foundation, Inc. -+Copyright (C) 2010 Free Software Foundation, Inc. - This config.status script is free software; the Free Software Foundation - gives unlimited permission to copy, distribute and modify it." - - ac_pwd='$ac_pwd' - srcdir='$srcdir' -+test -n "\$AWK" || AWK=awk - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF --# If no file are specified by the user, then we need to provide default --# value. By we need to know if files were specified by the user. -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -+# The default lists apply if the user does not specify any file. - ac_need_defaults=: - while test $# != 0 - do - case $1 in -- --*=*) -+ --*=?*) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` - ac_shift=: - ;; -+ --*=) -+ ac_option=`expr "X$1" : 'X\([^=]*\)='` -+ ac_optarg= -+ ac_shift=: -+ ;; - *) - ac_option=$1 - ac_optarg=$2 -@@ -3169,25 +3914,30 @@ - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - ac_cs_recheck=: ;; - --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) -- echo "$ac_cs_version"; exit ;; -+ $as_echo "$ac_cs_version"; exit ;; -+ --config | --confi | --conf | --con | --co | --c ) -+ $as_echo "$ac_cs_config"; exit ;; - --debug | --debu | --deb | --de | --d | -d ) - debug=: ;; - --file | --fil | --fi | --f ) - $ac_shift -- CONFIG_FILES="$CONFIG_FILES $ac_optarg" -+ case $ac_optarg in -+ *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; -+ '') as_fn_error $? "missing file argument" ;; -+ esac -+ as_fn_append CONFIG_FILES " '$ac_optarg'" - ac_need_defaults=false;; - --he | --h | --help | --hel | -h ) -- echo "$ac_cs_usage"; exit ;; -+ $as_echo "$ac_cs_usage"; exit ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil | --si | --s) - ac_cs_silent=: ;; - - # This is an error. -- -*) { echo "$as_me: error: unrecognized option: $1 --Try \`$0 --help' for more information." >&2 -- { (exit 1); exit 1; }; } ;; -+ -*) as_fn_error $? "unrecognized option: \`$1' -+Try \`$0 --help' for more information." ;; - -- *) ac_config_targets="$ac_config_targets $1" -+ *) as_fn_append ac_config_targets " $1" - ac_need_defaults=false ;; - - esac -@@ -3202,30 +3952,32 @@ - fi - - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - if \$ac_cs_recheck; then -- echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6 -- CONFIG_SHELL=$SHELL -+ set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion -+ shift -+ \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 -+ CONFIG_SHELL='$SHELL' - export CONFIG_SHELL -- exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion -+ exec "\$@" - fi - - _ACEOF --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - exec 5>>config.log - { - echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX - ## Running $as_me. ## - _ASBOX -- echo "$ac_log" -+ $as_echo "$ac_log" - } >&5 - - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - - # Handling of arguments. - for ac_config_target in $ac_config_targets -@@ -3233,9 +3985,7 @@ - case $ac_config_target in - "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; - -- *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 --echo "$as_me: error: invalid argument: $ac_config_target" >&2;} -- { (exit 1); exit 1; }; };; -+ *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;; - esac - done - -@@ -3260,7 +4010,7 @@ - trap 'exit_status=$? - { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status - ' 0 -- trap '{ (exit 1); exit 1; }' 1 2 13 15 -+ trap 'as_fn_exit 1' 1 2 13 15 - } - # Create a (secure) tmp directory for tmp files. - -@@ -3271,145 +4021,177 @@ - { - tmp=./conf$$-$RANDOM - (umask 077 && mkdir "$tmp") --} || --{ -- echo "$me: cannot create a temporary directory in ." >&2 -- { (exit 1); exit 1; } --} -- --# --# Set up the sed scripts for CONFIG_FILES section. --# -+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 - --# No need to generate the scripts if there are no CONFIG_FILES. --# This happens for instance when ./config.status config.h -+# Set up the scripts for CONFIG_FILES section. -+# No need to generate them if there are no CONFIG_FILES. -+# This happens for instance with `./config.status config.h'. - if test -n "$CONFIG_FILES"; then - --_ACEOF - -+ac_cr=`echo X | tr X '\015'` -+# On cygwin, bash can eat \r inside `` if the user requested igncr. -+# But we know of no other shell where ac_cr would be empty at this -+# point, so we can use a bashism as a fallback. -+if test "x$ac_cr" = x; then -+ eval ac_cr=\$\'\\r\' -+fi -+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` -+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then -+ ac_cs_awk_cr='\\r' -+else -+ ac_cs_awk_cr=$ac_cr -+fi -+ -+echo 'BEGIN {' >"$tmp/subs1.awk" && -+_ACEOF - - -+{ -+ echo "cat >conf$$subs.awk <<_ACEOF" && -+ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && -+ echo "_ACEOF" -+} >conf$$subs.sh || -+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 -+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` - ac_delim='%!_!# ' - for ac_last_try in false false false false false :; do -- cat >conf$$subs.sed <<_ACEOF --SHELL!$SHELL$ac_delim --PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim --PACKAGE_NAME!$PACKAGE_NAME$ac_delim --PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim --PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim --PACKAGE_STRING!$PACKAGE_STRING$ac_delim --PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim --exec_prefix!$exec_prefix$ac_delim --prefix!$prefix$ac_delim --program_transform_name!$program_transform_name$ac_delim --bindir!$bindir$ac_delim --sbindir!$sbindir$ac_delim --libexecdir!$libexecdir$ac_delim --datarootdir!$datarootdir$ac_delim --datadir!$datadir$ac_delim --sysconfdir!$sysconfdir$ac_delim --sharedstatedir!$sharedstatedir$ac_delim --localstatedir!$localstatedir$ac_delim --includedir!$includedir$ac_delim --oldincludedir!$oldincludedir$ac_delim --docdir!$docdir$ac_delim --infodir!$infodir$ac_delim --htmldir!$htmldir$ac_delim --dvidir!$dvidir$ac_delim --pdfdir!$pdfdir$ac_delim --psdir!$psdir$ac_delim --libdir!$libdir$ac_delim --localedir!$localedir$ac_delim --mandir!$mandir$ac_delim --DEFS!$DEFS$ac_delim --ECHO_C!$ECHO_C$ac_delim --ECHO_N!$ECHO_N$ac_delim --ECHO_T!$ECHO_T$ac_delim --LIBS!$LIBS$ac_delim --build_alias!$build_alias$ac_delim --host_alias!$host_alias$ac_delim --target_alias!$target_alias$ac_delim --CC!$CC$ac_delim --CFLAGS!$CFLAGS$ac_delim --LDFLAGS!$LDFLAGS$ac_delim --CPPFLAGS!$CPPFLAGS$ac_delim --ac_ct_CC!$ac_ct_CC$ac_delim --EXEEXT!$EXEEXT$ac_delim --OBJEXT!$OBJEXT$ac_delim --eap_tnc_cflags!$eap_tnc_cflags$ac_delim --eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim --targetname!$targetname$ac_delim --LIBOBJS!$LIBOBJS$ac_delim --LTLIBOBJS!$LTLIBOBJS$ac_delim --_ACEOF -+ . ./conf$$subs.sh || -+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - -- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then -+ ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` -+ if test $ac_delim_n = $ac_delim_num; then - break - elif $ac_last_try; then -- { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 --echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} -- { (exit 1); exit 1; }; } -+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi - done -+rm -f conf$$subs.sh - --ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed` --if test -n "$ac_eof"; then -- ac_eof=`echo "$ac_eof" | sort -nru | sed 1q` -- ac_eof=`expr $ac_eof + 1` --fi -- --cat >>$CONFIG_STATUS <<_ACEOF --cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof --/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end --_ACEOF --sed ' --s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g --s/^/s,@/; s/!/@,|#_!!_#|/ --:n --t n --s/'"$ac_delim"'$/,g/; t --s/$/\\/; p --N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n --' >>$CONFIG_STATUS >$CONFIG_STATUS <<_ACEOF --:end --s/|#_!!_#|//g --CEOF$ac_eof -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+cat >>"\$tmp/subs1.awk" <<\\_ACAWK && - _ACEOF -+sed -n ' -+h -+s/^/S["/; s/!.*/"]=/ -+p -+g -+s/^[^!]*!// -+:repl -+t repl -+s/'"$ac_delim"'$// -+t delim -+:nl -+h -+s/\(.\{148\}\)..*/\1/ -+t more1 -+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ -+p -+n -+b repl -+:more1 -+s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -+p -+g -+s/.\{148\}// -+t nl -+:delim -+h -+s/\(.\{148\}\)..*/\1/ -+t more2 -+s/["\\]/\\&/g; s/^/"/; s/$/"/ -+p -+b -+:more2 -+s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -+p -+g -+s/.\{148\}// -+t delim -+' >$CONFIG_STATUS || ac_write_fail=1 -+rm -f conf$$subs.awk -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+_ACAWK -+cat >>"\$tmp/subs1.awk" <<_ACAWK && -+ for (key in S) S_is_set[key] = 1 -+ FS = "" -+ -+} -+{ -+ line = $ 0 -+ nfields = split(line, field, "@") -+ substed = 0 -+ len = length(field[1]) -+ for (i = 2; i < nfields; i++) { -+ key = field[i] -+ keylen = length(key) -+ if (S_is_set[key]) { -+ value = S[key] -+ line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) -+ len += length(value) + length(field[++i]) -+ substed = 1 -+ } else -+ len += 1 + keylen -+ } -+ -+ print line -+} - -+_ACAWK -+_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then -+ sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" -+else -+ cat -+fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \ -+ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 -+_ACEOF - --# VPATH may cause trouble with some makes, so we remove $(srcdir), --# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and -+# VPATH may cause trouble with some makes, so we remove sole $(srcdir), -+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and - # trailing colons and then remove the whole line if VPATH becomes empty - # (actually we leave an empty line to preserve line numbers). - if test "x$srcdir" = x.; then -- ac_vpsub='/^[ ]*VPATH[ ]*=/{ --s/:*\$(srcdir):*/:/ --s/:*\${srcdir}:*/:/ --s/:*@srcdir@:*/:/ --s/^\([^=]*=[ ]*\):*/\1/ -+ ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ -+h -+s/// -+s/^/:/ -+s/[ ]*$/:/ -+s/:\$(srcdir):/:/g -+s/:\${srcdir}:/:/g -+s/:@srcdir@:/:/g -+s/^:*// - s/:*$// -+x -+s/\(=[ ]*\).*/\1/ -+G -+s/\n// - s/^[^=]*=[ ]*$// - }' - fi - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - fi # test -n "$CONFIG_FILES" - - --for ac_tag in :F $CONFIG_FILES -+eval set X " :F $CONFIG_FILES " -+shift -+for ac_tag - do - case $ac_tag in - :[FHLC]) ac_mode=$ac_tag; continue;; - esac - case $ac_mode$ac_tag in - :[FHL]*:*);; -- :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5 --echo "$as_me: error: Invalid tag $ac_tag." >&2;} -- { (exit 1); exit 1; }; };; -+ :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;; - :[FH]-) ac_tag=-:-;; - :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; - esac -@@ -3437,26 +4219,34 @@ - [\\/$]*) false;; - *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; - esac || -- { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 --echo "$as_me: error: cannot find input file: $ac_f" >&2;} -- { (exit 1); exit 1; }; };; -+ as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;; - esac -- ac_file_inputs="$ac_file_inputs $ac_f" -+ case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac -+ as_fn_append ac_file_inputs " '$ac_f'" - done - - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ -- configure_input="Generated from "`IFS=: -- echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure." -+ configure_input='Generated from '` -+ $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' -+ `' by configure.' - if test x"$ac_file" != x-; then - configure_input="$ac_file. $configure_input" -- { echo "$as_me:$LINENO: creating $ac_file" >&5 --echo "$as_me: creating $ac_file" >&6;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 -+$as_echo "$as_me: creating $ac_file" >&6;} - fi -+ # Neutralize special characters interpreted by sed in replacement strings. -+ case $configure_input in #( -+ *\&* | *\|* | *\\* ) -+ ac_sed_conf_input=`$as_echo "$configure_input" | -+ sed 's/[\\\\&|]/\\\\&/g'`;; #( -+ *) ac_sed_conf_input=$configure_input;; -+ esac - - case $ac_tag in -- *:-:* | *:-) cat >"$tmp/stdin";; -+ *:-:* | *:-) cat >"$tmp/stdin" \ -+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; - esac - ;; - esac -@@ -3466,42 +4256,7 @@ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || --echo X"$ac_file" | -- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ -- s//\1/ -- q -- } -- /^X\(\/\/\)[^/].*/{ -- s//\1/ -- q -- } -- /^X\(\/\/\)$/{ -- s//\1/ -- q -- } -- /^X\(\/\).*/{ -- s//\1/ -- q -- } -- s/.*/./; q'` -- { as_dir="$ac_dir" -- case $as_dir in #( -- -*) as_dir=./$as_dir;; -- esac -- test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { -- as_dirs= -- while :; do -- case $as_dir in #( -- *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #( -- *) as_qdir=$as_dir;; -- esac -- as_dirs="'$as_qdir' $as_dirs" -- as_dir=`$as_dirname -- "$as_dir" || --$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ -- X"$as_dir" : 'X\(//\)[^/]' \| \ -- X"$as_dir" : 'X\(//\)$' \| \ -- X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || --echo X"$as_dir" | -+$as_echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q -@@ -3519,20 +4274,15 @@ - q - } - s/.*/./; q'` -- test -d "$as_dir" && break -- done -- test -z "$as_dirs" || eval "mkdir $as_dirs" -- } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 --echo "$as_me: error: cannot create directory $as_dir" >&2;} -- { (exit 1); exit 1; }; }; } -+ as_dir="$ac_dir"; as_fn_mkdir_p - ac_builddir=. - - case "$ac_dir" in - .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) -- ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` -+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. -- ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'` -+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; -@@ -3568,12 +4318,12 @@ - - _ACEOF - --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - # If the template does not know about datarootdir, expand it. - # FIXME: This hack should be removed a few years after 2.60. - ac_datarootdir_hack=; ac_datarootdir_seen= -- --case `sed -n '/datarootdir/ { -+ac_sed_dataroot=' -+/datarootdir/ { - p - q - } -@@ -3581,36 +4331,37 @@ - /@docdir@/p - /@infodir@/p - /@localedir@/p --/@mandir@/p --' $ac_file_inputs` in -+/@mandir@/p' -+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in - *datarootdir*) ac_datarootdir_seen=yes;; - *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) -- { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 --echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 -+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} - _ACEOF --cat >>$CONFIG_STATUS <<_ACEOF -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - ac_datarootdir_hack=' - s&@datadir@&$datadir&g - s&@docdir@&$docdir&g - s&@infodir@&$infodir&g - s&@localedir@&$localedir&g - s&@mandir@&$mandir&g -- s&\\\${datarootdir}&$datarootdir&g' ;; -+ s&\\\${datarootdir}&$datarootdir&g' ;; - esac - _ACEOF - - # Neutralize VPATH when `$srcdir' = `.'. - # Shell code in configure.ac might set extrasub. - # FIXME: do we really want to maintain this feature? --cat >>$CONFIG_STATUS <<_ACEOF -- sed "$ac_vpsub -+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -+ac_sed_extra="$ac_vpsub - $extrasub - _ACEOF --cat >>$CONFIG_STATUS <<\_ACEOF -+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - :t - /@[a-zA-Z_][a-zA-Z_0-9]*@/!b --s&@configure_input@&$configure_input&;t t -+s|@configure_input@|$ac_sed_conf_input|;t t - s&@top_builddir@&$ac_top_builddir_sub&;t t -+s&@top_build_prefix@&$ac_top_build_prefix&;t t - s&@srcdir@&$ac_srcdir&;t t - s&@abs_srcdir@&$ac_abs_srcdir&;t t - s&@top_srcdir@&$ac_top_srcdir&;t t -@@ -3619,21 +4370,24 @@ - s&@abs_builddir@&$ac_abs_builddir&;t t - s&@abs_top_builddir@&$ac_abs_top_builddir&;t t - $ac_datarootdir_hack --" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out -+" -+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \ -+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - - test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && - { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && - { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && -- { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' --which seems to be undefined. Please make sure it is defined." >&5 --echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' --which seems to be undefined. Please make sure it is defined." >&2;} -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' -+which seems to be undefined. Please make sure it is defined" >&5 -+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' -+which seems to be undefined. Please make sure it is defined" >&2;} - - rm -f "$tmp/stdin" - case $ac_file in -- -) cat "$tmp/out"; rm -f "$tmp/out";; -- *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;; -- esac -+ -) cat "$tmp/out" && rm -f "$tmp/out";; -+ *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";; -+ esac \ -+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - ;; - - -@@ -3643,11 +4397,13 @@ - done # for ac_tag - - --{ (exit 0); exit 0; } -+as_fn_exit 0 - _ACEOF --chmod +x $CONFIG_STATUS - ac_clean_files=$ac_clean_files_save - -+test $ac_write_fail = 0 || -+ as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 -+ - - # configure is writing to config.log, and then calls config.status. - # config.status does its own redirection, appending to config.log. -@@ -3667,7 +4423,10 @@ - exec 5>>config.log - # Use ||, not &&, to avoid exiting from the if with $? = 1, which - # would make configure fail if this is the last instruction. -- $ac_cs_success || { (exit 1); exit 1; } -+ $ac_cs_success || as_fn_exit 1 -+fi -+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 -+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} - fi -- - -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in 2012-12-04 19:38:00.241420966 +0100 -@@ -2,12 +2,21 @@ - AC_REVISION($Revision$) - AC_DEFUN(modname,[rlm_eap_tnc]) - -+eap_tnc_cflags= -+eap_tnc_ldflags=-lnaaeap -+ - if test x$with_[]modname != xno; then - -- AC_CHECK_LIB(TNCS, exchangeTNCCSMessages) -- if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then -- AC_MSG_WARN([the TNCS library isn't found!]) -- fail="$fail -lTNCS" -+ AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",) -+ if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then -+ AC_MSG_WARN([the NAAEAP library was not found!]) -+ fail="$fail -lNAAEAP" -+ fi -+ -+ AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",) -+ if test -x"$ac_cv_header_naaeap_h" == -x"no"; then -+ AC_MSG_WARN([the naaeap header was not found!]) -+ fail="$fail -Inaaeap.h" - fi - - targetname=modname -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c 2012-12-04 19:38:00.241420966 +0100 -@@ -1,12 +1,12 @@ - /* - * eap_tnc.c EAP TNC functionality. - * -- * This software is Copyright (C) 2006,2007 FH Hannover -+ * This software is Copyright (C) 2006-2009 FH Hannover - * - * Portions of this code unrelated to FreeRADIUS are available - * separately under a commercial license. If you require an - * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -+ * contact trust@f4-i.fh-hannover.de for details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -23,230 +23,41 @@ - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - * - */ --#include --RCSID("$Id: 213ede51c46a8c533961be8715395c0ab1f6b5c9 $") -- -- --/* -- * -- * MD5 Packet Format in EAP Type-Data -- * --- ------ ------ -- --- --------- -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Value-Size | Value ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Name ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * -- * EAP-TNC Packet Format in EAP Type-Data -- * -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Flags |Ver | Data Length ... -- * |L M S R R|=1 | -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * |... | Data ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- -- * -- */ -- - #include - #include - #include "eap.h" - - #include "eap_tnc.h" - -- /* -- * WTF is wrong with htonl ? -- */ --static uint32_t ByteSwap2 (uint32_t nLongNumber) --{ -- return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+ -- ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24)); --} -- - /* -- * Allocate a new TNC_PACKET -+ * Forms an EAP_REQUEST packet from the EAP_TNC specific data. - */ --TNC_PACKET *eaptnc_alloc(void) -+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code) - { -- TNC_PACKET *rp; -- -- if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- return NULL; -+ // check parameters -+ if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){ -+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code); -+ return 0; - } -- memset(rp, 0, sizeof(TNC_PACKET)); -- return rp; --} -- --/* -- * Free TNC_PACKET -- */ --void eaptnc_free(TNC_PACKET **tnc_packet_ptr) --{ -- TNC_PACKET *tnc_packet; -- -- if (!tnc_packet_ptr) return; -- tnc_packet = *tnc_packet_ptr; -- if (tnc_packet == NULL) return; -- -- if (tnc_packet->data) free(tnc_packet->data); - -- free(tnc_packet); -- -- *tnc_packet_ptr = NULL; --} -- --/* -- * We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back -- */ --TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds) --{ -- tnc_packet_t *data; -- TNC_PACKET *packet; -- /* -- * We need a response, of type EAP-TNC -- */ -- if (!eap_ds || -- !eap_ds->response || -- (eap_ds->response->code != PW_TNC_RESPONSE) || -- eap_ds->response->type.type != PW_EAP_TNC || -- !eap_ds->response->type.data || -- (eap_ds->response->length <= TNC_HEADER_LEN) || -- (eap_ds->response->type.data[0] <= 0)) { -- radlog(L_ERR, "rlm_eap_tnc: corrupted data"); -- return NULL; -+ // further check parameters -+ if(handler->opaque == NULL || handler->eap_ds == NULL){ -+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds); -+ return 0; - } -- packet = eaptnc_alloc(); -- if (!packet) return NULL; -- - -- packet->code = eap_ds->response->code; -- packet->id = eap_ds->response->id; -- packet->length = eap_ds->response->length; -- -- data = (tnc_packet_t *)eap_ds->response->type.data; -- /* -- * Already checked the size above. -- */ -- packet->flags_ver = data->flags_ver; -- unsigned char *ptr = (unsigned char*)data; -- -- -- DEBUG2("Flags/Ver: %x\n", packet->flags_ver); -- int thisDataLength; -- int dataStart; -- if(TNC_LENGTH_INCLUDED(packet->flags_ver)){ -- DEBUG2("data_length included\n"); --// memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4); -- //packet->data_length = data->data_length; -- memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH); -- DEBUG2("data_length: %x\n", packet->data_length); -- DEBUG2("data_length: %d\n", packet->data_length); -- DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length)); -- DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length)); -- packet->data_length = ByteSwap2(packet->data_length); -- thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver -- dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH; -- }else{ -- DEBUG2("no data_length included\n"); -- thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- packet->data_length = 0; -- dataStart = TNC_FLAGS_VERSION_LENGTH; -- -- } -- /* -- * Allocate room for the data, and copy over the data. -- */ -- packet->data = malloc(thisDataLength); -- if (packet->data == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- eaptnc_free(&packet); -- return NULL; -+ if(handler->eap_ds->request == NULL){ -+ radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request); -+ return 0; - } -- -- memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength); -- -- return packet; --} - -- --/* -- * Compose the portions of the reply packet specific to the -- * EAP-TNC protocol, in the EAP reply typedata -- */ --int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply) --{ -- uint8_t *ptr; -- -- -- if (reply->code < 3) { -- //fill: EAP-Type (0x888e) -- eap_ds->request->type.type = PW_EAP_TNC; -- DEBUG2("TYPE: EAP-TNC set\n"); -- rad_assert(reply->length > 0); -- -- //alloc enough space for whole TNC-Packet (from Code on) -- eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*)); -- DEBUG2("Malloc %d bytes for packet\n", reply->length); -- if (eap_ds->request->type.data == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- return 0; -- } -- //put pointer at position where data starts (behind Type) -- ptr = eap_ds->request->type.data; -- //*ptr = (uint8_t)(reply->data_length & 0xFF); -- -- //ptr++; -- *ptr = reply->flags_ver; -- DEBUG2("Set Flags/Version: %d\n", *ptr); -- if(reply->data_length!=0){ -- DEBUG2("Set data-length: %d\n", reply->data_length); -- ptr++; //move to start-position of "data_length" -- DEBUG2("Set data-length: %x\n", reply->data_length); -- DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length)); -- unsigned long swappedDataLength = ByteSwap2(reply->data_length); -- //DEBUG2("DATA-length: %d", reply->data_ -- memcpy(ptr, &swappedDataLength, 4); -- //*ptr = swappedDataLength; -- } -- uint16_t thisDataLength=0; -- if(reply->data!=NULL){ -- DEBUG2("Adding TNCCS-Data "); -- int offset; -- //if data_length-Field present -- if(reply->data_length !=0){ -- DEBUG2("with Fragmentation\n"); -- offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4 -- thisDataLength = reply->length-TNC_PACKET_LENGTH; -- }else{ //data_length-Field not present -- DEBUG2("without Fragmentation\n"); -- offset = 1; -- thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- } -- DEBUG2("TNCCS-Datalength: %d\n", thisDataLength); -- ptr=ptr+offset; //move to start-position of "data" -- memcpy(ptr,reply->data, thisDataLength); -- }else{ -- DEBUG2("No TNCCS-Data present"); -- } -- -- //the length of the TNC-packet (behind Type) -- if(reply->data_length!=0){ -- eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver -- }else{ -- eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver -- } -- DEBUG2("Packet built\n"); -- -- } else { -- eap_ds->request->type.length = 0; -- } -- eap_ds->request->code = reply->code; -+ // fill EAP data to handler -+ handler->eap_ds->request->code = code; -+ handler->eap_ds->request->type.type = PW_EAP_TNC; -+ // fill EAP TYPE specific data to handler -+ handler->eap_ds->request->type.length = length; -+ free(handler->eap_ds->request->type.data); -+ handler->eap_ds->request->type.data = request; - - return 1; - } -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h 2012-12-04 19:38:00.241420966 +0100 -@@ -1,10 +1,10 @@ - /* -- * This software is Copyright (C) 2006,2007 FH Hannover -+ * This software is Copyright (C) 2006-2009 FH Hannover - * - * Portions of this code unrelated to FreeRADIUS are available - * separately under a commercial license. If you require an - * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -+ * contact trust@f4-i.fh-hannover.de for details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -26,105 +26,20 @@ - #define _EAP_TNC_H - - #include "eap.h" -+#include - --#define PW_TNC_REQUEST 1 --#define PW_TNC_RESPONSE 2 --#define PW_TNC_SUCCESS 3 --#define PW_TNC_FAILURE 4 --#define PW_TNC_MAX_CODES 4 -- --#define TNC_HEADER_LEN 4 --#define TNC_CHALLENGE_LEN 16 --#define TNC_START_LEN 8 -- --#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6 --#define TNC_PACKET_LENGTH 10 --#define TNC_DATA_LENGTH_LENGTH 4 --#define TNC_FLAGS_VERSION_LENGTH 1 -- --typedef unsigned int VlanAccessMode; -- --#define VLAN_ISOLATE 97 --#define VLAN_ACCESS 2 --/* -- **** -- * EAP - MD5 doesnot specify code, id & length but chap specifies them, -- * for generalization purpose, complete header should be sent -- * and not just value_size, value and name. -- * future implementation. -- * -- * Huh? What does that mean? -- */ -+#define SET_START(x) ((x) | (0x20)) - --/* -+/** -+ * Composes the EAP packet. - * -- * MD5 Packet Format in EAP Type-Data -- * --- ------ ------ -- --- --------- -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Value-Size | Value ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Name ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * -- * EAP-TNC Packet Format in EAP Type-Data -- * -- * 0 1 2 3 -- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * | Flags |Ver | Data Length ... -- * |L M S R R|=1 | -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- * |... | Data ... -- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- -+ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate -+ * @param request The EAP_TNC packet received from NAA-TNCS -+ * @param length The length of the EAP_TNC packet received from NAA-TNCS -+ * @param code EAP_CODE for the request - * -+ * @return True if operation was successful, otherwise false. - */ -- --/* eap packet structure */ --typedef struct tnc_packet_t { --/* -- uint8_t code; -- uint8_t id; -- uint16_t length; --*/ -- uint8_t flags_ver; -- uint32_t data_length; -- uint8_t *data; --} tnc_packet_t; -- --typedef struct tnc_packet { -- uint8_t code; -- uint8_t id; -- uint16_t length; -- uint8_t flags_ver; -- uint32_t data_length; -- uint8_t *data; --} TNC_PACKET; -- --#define TNC_START(x) (((x) & 0x20) != 0) --#define TNC_MORE_FRAGMENTS(x) (((x) & 0x40) != 0) --#define TNC_LENGTH_INCLUDED(x) (((x) & 0x80) != 0) --#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0) --#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1) -- --#define SET_START(x) ((x) | (0x20)) --#define SET_MORE_FRAGMENTS(x) ((x) | (0x40)) --#define SET_LENGTH_INCLUDED(x) ((x) | (0x80)) -- -- --/* function declarations here */ -- --TNC_PACKET *eaptnc_alloc(void); --void eaptnc_free(TNC_PACKET **tnc_packet_ptr); -- --int eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply); --TNC_PACKET *eaptnc_extract(EAP_DS *auth); --int eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch); -- -- -- -- -+int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code); - - #endif /*_EAP_TNC_H*/ -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in 2012-12-04 19:38:49.277421870 +0100 -@@ -3,8 +3,8 @@ - # - - TARGET = @targetname@ --SRCS = rlm_eap_tnc.c eap_tnc.c tncs_connect.c --HEADERS = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h -+SRCS = rlm_eap_tnc.c eap_tnc.c -+HEADERS = eap_tnc.h ../../eap.h ../../rlm_eap.h - RLM_CFLAGS = -I../.. -I../../libeap @eap_tnc_cflags@ - RLM_LIBS = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la - RLM_INSTALL = -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c 2012-12-04 19:38:00.241420966 +0100 -@@ -1,12 +1,12 @@ - /* - * rlm_eap_tnc.c Handles that are called from eap - * -- * This software is Copyright (C) 2006,2007 FH Hannover -+ * This software is Copyright (C) 2006-2009 FH Hannover - * - * Portions of this code unrelated to FreeRADIUS are available - * separately under a commercial license. If you require an - * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -+ * contact trust@f4-i.fh-hannover.de for details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -26,96 +26,262 @@ - * Copyright (C) 2007 Alan DeKok - */ - --#include --RCSID("$Id: 985ac01f384110b9a46ec8e84592351c21b3f09a $") -+/* -+ * EAP-TNC Packet with EAP Header, general structure -+ * -+ * 0 1 2 3 -+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Code | Identifier | Length | -+ * | | | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Type | Flags | Ver | Data Length | -+ * | |L M S R R| =1 | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Data Length | Data ... -+ * | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ */ - - #include - - #include - #include - --#include "tncs_connect.h" - #include "eap_tnc.h" --#include "tncs.h" -+#include - #include -+//#include - --typedef struct rlm_eap_tnc_t { -- char *vlan_access; -- char *vlan_isolate; -- char *tnc_path; --} rlm_eap_tnc_t; -+#include - --static int sessionCounter=0; -+/** -+ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type. -+ * The maximum length of the calculated string is 70 (not including the trailing '\0'). -+ * -+ * @return the number of bytes written to out (not including the trailing '\0') -+ */ -+static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength) -+{ -+ VALUE_PAIR *vp = NULL; -+ uint32_t nas_port = 0; -+ uint32_t nas_ip = 0; -+ uint32_t nas_port_type = 0; -+ -+ char out_nas_port[11]; -+ char out_nas_ip_byte_0[4]; -+ char out_nas_ip_byte_1[4]; -+ char out_nas_ip_byte_2[4]; -+ char out_nas_ip_byte_3[4]; -+ char out_nas_port_type[11]; -+ -+ // check for NULL -+ if (radius_packet == NULL) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!"); -+ return 0; -+ } -+ -+ // read NAS port, ip and port type -+ for (vp = radius_packet->vps; vp; vp=vp->next) { -+ switch (vp->attribute) { -+ case PW_NAS_PORT: -+ nas_port = vp->vp_integer; -+ DEBUG("NAS scr port = %u\n", nas_port); -+ break; -+ case PW_NAS_IP_ADDRESS: -+ nas_ip = vp->vp_ipaddr; -+ DEBUG("NAS scr ip = %X\n", ntohl(nas_ip)); -+ break; -+ case PW_NAS_PORT_TYPE: -+ nas_port_type = vp->vp_integer; -+ DEBUG("NAS scr port type = %u\n", nas_port_type); -+ break; -+ } -+ } -+ -+ snprintf(out_nas_port, 11, "%u", nas_port); -+ snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF); -+ snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF); -+ snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF); -+ snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF); -+ snprintf(out_nas_port_type, 11, "%u", nas_port_type); -+ -+ return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type); -+} -+ -+/* -+ * This function is called when the FreeRADIUS attach this module. -+ */ -+static int tnc_attach(CONF_SECTION *conf, void **type_data) -+{ -+ // initialize NAA-EAP -+ DEBUG2("TNC-ATTACH initializing NAA-EAP"); -+ TNC_Result result = initializeDefault(); -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()"); -+ return -1; -+ } -+ return 0; -+} -+ -+/* -+ * This function is called when the FreeRADIUS detach this module. -+ */ -+static int tnc_detach(void *args) -+{ -+ // terminate NAA-EAP -+ DEBUG2("TNC-TERMINATE terminating NAA-EAP"); -+ TNC_Result result = terminate(); -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()"); -+ return -1; -+ } -+ return 0; -+} - - /* -- * Initiate the EAP-MD5 session by sending a challenge to the peer. -- * Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set -- * and with no data -+ * This function is called when the first EAP_IDENTITY_RESPONSE message -+ * was received. -+ * -+ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE -+ * to the peer. The packet has the Start-Bit set and contains no data. -+ * -+ * 0 1 2 3 -+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Code | Identifier | Length | -+ * | | | | -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * | Type | Flags | Ver | -+ * | |0 0 1 0 0|0 0 1| -+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+ * -+ * For this package, only 'Identifier' has to be set dynamically. Any -+ * other information is static. - */ - static int tnc_initiate(void *type_data, EAP_HANDLER *handler) - { -- uint8_t flags_ver = 1; //set version to 1 -- rlm_eap_tnc_t *inst = type_data; -- TNC_PACKET *reply; -+ size_t buflen = 71; -+ size_t ret = 0; -+ char buf[buflen]; -+ REQUEST * request = NULL; -+ TNC_Result result; -+ TNC_ConnectionID conID; -+ TNC_BufferReference username; - -+ // check if we run inside a secure EAP method. -+ // FIXME check concrete outer EAP method - if (!handler->request || !handler->request->parent) { -- DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method."); -+ DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method."); -+ request = handler->request; - return 0; -+ } else { -+ request = handler->request->parent; - } - -- /* -- * FIXME: Update this when the TTLS and PEAP methods can -- * run EAP-TLC *after* the user has been authenticated. -- * This likely means moving the phase2 handlers to a -- * common code base. -- */ -- if (1) { -- DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated."); -+ if (request->packet == NULL) { -+ DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL."); - return 0; - } - - DEBUG("tnc_initiate: %ld", handler->timestamp); - -- if(connectToTncs(inst->tnc_path)==-1){ -- DEBUG("Could not connect to TNCS"); -+ //calculate connectionString -+ ret = calculateConnectionString(request->packet, buf, buflen); -+ if(ret == 0){ -+ radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed."); -+ return 0; - } - -+ DEBUG2("TNC-INITIATE getting connection from NAA-EAP"); -+ - /* -- * Allocate an EAP-MD5 packet. -+ * get connection -+ * (uses a function from the NAA-EAP-library) -+ * the presence of the library is checked via the configure-script - */ -- reply = eaptnc_alloc(); -- if (reply == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -+ result = getConnection(buf, &conID); -+ -+ // check for errors -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection"); - return 0; - } - - /* -- * Fill it with data. -+ * tries to get the username from FreeRADIUS; -+ * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c - */ -- reply->code = PW_TNC_REQUEST; -- flags_ver = SET_START(flags_ver); //set start-flag -- DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver); -- reply->flags_ver = flags_ver; -- reply->length = 1+1; /* one byte of flags_ver */ -+ VALUE_PAIR *usernameValuePair; -+ usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME); - -+ VALUE_PAIR *eapMessageValuePair; -+ if (!usernameValuePair) { -+ eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE); -+ -+ if (eapMessageValuePair && -+ (eapMessageValuePair->length >= EAP_HEADER_LEN + 2) && -+ (eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) && -+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) && -+ (eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) { -+ -+ /* -+ * Create & remember a User-Name -+ */ -+ usernameValuePair = pairmake("User-Name", "", T_OP_EQ); -+ rad_assert(usernameValuePair != NULL); -+ -+ memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5, -+ eapMessageValuePair->length - 5); -+ usernameValuePair->length = eapMessageValuePair->length - 5; -+ usernameValuePair->vp_strvalue[usernameValuePair->length] = 0; -+ } -+ } -+ -+ username = malloc(usernameValuePair->length + 1); -+ memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length); -+ username[usernameValuePair->length] = '\0'; -+ -+ RDEBUG("Username for current TNC connection: %s", username); -+ -+ /* -+ * stores the username of this connection -+ * (uses a function from the NAA-EAP-library) -+ * the presence of the library is checked via the configure-script -+ */ -+ result = storeUsername(conID, username, usernameValuePair->length); -+ -+ // check for errors -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername"); -+ return 0; -+ } -+ -+ // set connection ID in FreeRADIUS -+ handler->opaque = malloc(sizeof(TNC_ConnectionID)); -+ memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID)); -+ -+ // build first EAP TNC request -+ TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char)); -+ if (eap_tnc_request == NULL) { -+ radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed."); -+ return 0; -+ } -+ *eap_tnc_request = SET_START(1); -+ TNC_UInt32 eap_tnc_length = 1; -+ type_data = type_data; /* suppress -Wunused */ - - /* - * Compose the EAP-TNC packet out of the data structure, - * and free it. - */ -- eaptnc_compose(handler->eap_ds, reply); -- eaptnc_free(&reply); -+ eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST); - -- //put sessionAttribute to Handler and increase sessionCounter -- handler->opaque = calloc(sizeof(TNC_ConnectionID), 1); -- if (handler->opaque == NULL) { -- radlog(L_ERR, "rlm_eap_tnc: out of memory"); -- return 0; -- } -- handler->free_opaque = free; -- memcpy(handler->opaque, &sessionCounter, sizeof(int)); -- sessionCounter++; -- - /* - * We don't need to authorize the user at this point. - * -@@ -124,246 +290,114 @@ - * to us... - */ - handler->stage = AUTHENTICATE; -- -- return 1; --} - --static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler, -- VlanAccessMode mode){ -- VALUE_PAIR *vp; -- char *vlanNumber = NULL; -- switch(mode){ -- case VLAN_ISOLATE: -- vlanNumber = inst->vlan_isolate; -- vp = pairfind(handler->request->config_items, -- PW_TNC_VLAN_ISOLATE); -- if (vp) vlanNumber = vp->vp_strvalue; -- break; -- case VLAN_ACCESS: -- vlanNumber = inst->vlan_access; -- vp = pairfind(handler->request->config_items, -- PW_TNC_VLAN_ACCESS); -- if (vp) vlanNumber = vp->vp_strvalue; -- break; -- -- default: -- DEBUG2(" rlm_eap_tnc: Internal error. Not setting vlan number"); -- return; -- } -- pairadd(&handler->request->reply->vps, -- pairmake("Tunnel-Type", "VLAN", T_OP_SET)); -- -- pairadd(&handler->request->reply->vps, -- pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET)); -- -- pairadd(&handler->request->reply->vps, -- pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET)); -- -+ return 1; - } - --/* -- * Authenticate a previously sent challenge. -+/** -+ * This function is called when a EAP_TNC_RESPONSE was received. -+ * It basically forwards the EAP_TNC data to NAA-TNCS and forms -+ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID -+ * based on the TNC_ConnectionState determined by NAA-TNCS. -+ * -+ * @param type_arg The configuration data -+ * @param handler The EAP_HANDLER -+ * @return True, if successfully, else false. - */ --static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) --{ -- TNC_PACKET *packet; -- TNC_PACKET *reply; -- TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque)); -- TNC_ConnectionState state; -- rlm_eap_tnc_t *inst = type_arg; -- int isAcknowledgement = 0; -- TNC_UInt32 tnccsMsgLength = 0; -- int isLengthIncluded; -- int moreFragments; -- TNC_UInt32 overallLength; -- TNC_BufferReference outMessage; -- TNC_UInt32 outMessageLength = 2; -- int outIsLengthIncluded=0; -- int outMoreFragments=0; -- TNC_UInt32 outOverallLength=0; -+static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) { - -- DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque))); -- DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId); -+ rad_assert(handler->request != NULL); // check that request has been sent previously -+ rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called - -- /* -- * Get the User-Password for this user. -- */ -- rad_assert(handler->request != NULL); -- rad_assert(handler->stage == AUTHENTICATE); -- -- /* -- * Extract the EAP-TNC packet. -- */ -- if (!(packet = eaptnc_extract(handler->eap_ds))) -+ if (handler == NULL) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL"); - return 0; -+ } -+ if (handler->eap_ds == NULL) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL"); -+ return 0; -+ } -+ if (handler->eap_ds->response == NULL) { -+ radlog( -+ L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL"); -+ return 0; -+ } -+ if (handler->eap_ds->response->type.type != PW_EAP_TNC -+ || handler->eap_ds->response->type.length < 1 -+ || handler->eap_ds->response->type.data == NULL) { -+ radlog( -+ L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p", -+ handler->eap_ds->response->type.type, -+ handler->eap_ds->response->type.length, -+ handler->eap_ds->response->type.data); -+ return 0; -+ } - -- /* -- * Create a reply, and initialize it. -- */ -- reply = eaptnc_alloc(); -- if (!reply) { -- eaptnc_free(&packet); -- return 0; -- } -- -- reply->id = handler->eap_ds->request->id; -- reply->length = 0; -- if(packet->data_length==0){ -- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- }else{ -- tnccsMsgLength = packet->length-TNC_PACKET_LENGTH; -- } -- isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver); -- moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver); -- overallLength = packet->data_length; -- if(isLengthIncluded == 0 -- && moreFragments == 0 -- && overallLength == 0 -- && tnccsMsgLength == 0 -- && TNC_START(packet->flags_ver)==0){ -- -- isAcknowledgement = 1; -- } -- -- DEBUG("Data received: (%d)", (int) tnccsMsgLength); --/* int i; -- for(i=0;idata)[i]); -- } -- DEBUG2("\n"); -- */ -- state = exchangeTNCCSMessages(inst->tnc_path, -- connId, -- isAcknowledgement, -- packet->data, -- tnccsMsgLength, -- isLengthIncluded, -- moreFragments, -- overallLength, -- &outMessage, -- &outMessageLength, -- &outIsLengthIncluded, -- &outMoreFragments, -- &outOverallLength); -- DEBUG("GOT State %08x from TNCS", (unsigned int) state); -- if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement -- reply->code = PW_TNC_REQUEST; -- reply->data = NULL; -- reply->data_length = 0; -- reply->flags_ver = 1; -- reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; -- }else{ //send back normal message -- DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength); -- -- /* for(i=0;icode = PW_TNC_REQUEST; -- DEBUG2("Set Reply->Code to EAP-REQUEST\n"); -- break; -- case TNC_CONNECTION_STATE_ACCESS_ALLOWED: -- reply->code = PW_TNC_SUCCESS; -- setVlanAttribute(inst, handler,VLAN_ACCESS); -- break; -- case TNC_CONNECTION_STATE_ACCESS_NONE: -- reply->code = PW_TNC_FAILURE; -- //setVlanAttribute(inst, handler, VLAN_ISOLATE); -- break; -- case TNC_CONNECTION_STATE_ACCESS_ISOLATED: -- reply->code = PW_TNC_SUCCESS; -- setVlanAttribute(inst, handler, VLAN_ISOLATE); -- break; -- default: -- reply->code= PW_TNC_FAILURE; -- -- } -- if(outMessage!=NULL && outMessageLength!=0){ -- reply->data = outMessage; -- } -- reply->flags_ver = 1; -- if(outIsLengthIncluded){ -- reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver); -- reply->data_length = outOverallLength; -- reply->length = TNC_PACKET_LENGTH + outMessageLength; -- DEBUG("SET LENGTH: %d", reply->length); -- DEBUG("SET DATALENGTH: %d", (int) outOverallLength); -- }else{ -- reply->data_length = 0; -- reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength; -- DEBUG("SET LENGTH: %d", reply->length); -- } -- if(outMoreFragments){ -- reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver); -- } -- } -- -- /* -- * Compose the EAP-MD5 packet out of the data structure, -- * and free it. -- */ -- eaptnc_compose(handler->eap_ds, reply); -- eaptnc_free(&reply); -- -- handler->stage = AUTHENTICATE; -- -- eaptnc_free(&packet); -- return 1; --} -- --/* -- * Detach the EAP-TNC module. -- */ --static int tnc_detach(void *arg) --{ -- free(arg); -- return 0; --} -- -- --static CONF_PARSER module_config[] = { -- { "vlan_access", PW_TYPE_STRING_PTR, -- offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL }, -- { "vlan_isolate", PW_TYPE_STRING_PTR, -- offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL }, -- { "tnc_path", PW_TYPE_STRING_PTR, -- offsetof(rlm_eap_tnc_t, tnc_path), NULL, -- "/usr/local/lib/libTNCS.so"}, -+ // get connection ID -+ TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque)); - -- { NULL, -1, 0, NULL, NULL } /* end the list */ --}; -+ DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID); - --/* -- * Attach the EAP-TNC module. -- */ --static int tnc_attach(CONF_SECTION *cs, void **instance) --{ -- rlm_eap_tnc_t *inst; -+ // pass EAP_TNC data to NAA-EAP and get answer data -+ TNC_BufferReference output = NULL; -+ TNC_UInt32 outputLength = 0; -+ TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE; - -- inst = malloc(sizeof(*inst)); -- if (!inst) return -1; -- memset(inst, 0, sizeof(*inst)); -+ /* -+ * forwards the eap_tnc data to NAA-EAP and gets the response -+ * (uses a function from the NAA-EAP-library) -+ * the presence of the library is checked via the configure-script -+ */ -+ TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data, -+ handler->eap_ds->response->type.length, &output, &outputLength, -+ &connectionState); -+ -+ // check for errors -+ if (result != TNC_RESULT_SUCCESS) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData"); -+ return 0; -+ } - -- if (cf_section_parse(cs, inst, module_config) < 0) { -- tnc_detach(inst); -- return -1; -+ // output contains now the answer from NAA-EAP -+ uint8_t eapCode = 0; -+ // determine eapCode for request -+ switch (connectionState) { -+ case TNC_CONNECTION_STATE_HANDSHAKE: -+ eapCode = PW_EAP_REQUEST; -+ break; -+ case TNC_CONNECTION_STATE_ACCESS_NONE: -+ eapCode = PW_EAP_FAILURE; -+ break; -+ case TNC_CONNECTION_STATE_ACCESS_ALLOWED: -+ eapCode = PW_EAP_SUCCESS; -+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET)); -+ break; -+ case TNC_CONNECTION_STATE_ACCESS_ISOLATED: -+ eapCode = PW_EAP_SUCCESS; -+ pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET)); -+ break; -+ default: -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE."); -+ return 0; - } - -- -- if (!inst->vlan_access || !inst->vlan_isolate) { -- radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate"); -- tnc_detach(inst); -- return -1; -+ // form EAP_REQUEST -+ if (!eaptnc_compose(handler, output, outputLength, eapCode)) { -+ radlog(L_ERR, -+ "rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST."); -+ return 0; - } - -- *instance = inst; -- return 0; -+ // FIXME: Why is that needed? -+ handler->stage = AUTHENTICATE; -+ -+ return 1; - } - - /* -@@ -371,10 +405,10 @@ - * That is, everything else should be 'static'. - */ - EAP_TYPE rlm_eap_tnc = { -- "eap_tnc", -- tnc_attach, /* attach */ -- tnc_initiate, /* Start the initial request */ -- NULL, /* authorization */ -- tnc_authenticate, /* authentication */ -- tnc_detach /* detach */ -+ "eap_tnc", -+ tnc_attach, /* attach */ -+ tnc_initiate, /* Start the initial request */ -+ NULL, /* authorization */ -+ tnc_authenticate, /* authentication */ -+ tnc_detach /* detach */ - }; -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c 1970-01-01 01:00:00.000000000 +0100 -@@ -1,146 +0,0 @@ --/* -- * This software is Copyright (C) 2006,2007 FH Hannover -- * -- * Portions of this code unrelated to FreeRADIUS are available -- * separately under a commercial license. If you require an -- * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA -- * -- */ --#include --RCSID("$Id: 6077f6d2bdc2ebdea6575678e80e255f57215900 $") -- --#include "tncs_connect.h" --#include --#include --#include --#include -- -- /* -- * FIXME: This linking should really be done at compile time. -- */ --static lt_dlhandle handle = NULL; -- --static ExchangeTNCCSMessagePointer callTNCS = NULL; -- --/* -- * returns the function-pointer to a function of a shared-object -- * -- * soHandle: handle to a shared-object -- * name: name of the requested function -- * -- * return: the procAddress if found, else NULL -- */ --static void *getProcAddress(lt_dlhandle soHandle, const char *name){ -- void *proc = lt_dlsym(soHandle, name); -- DEBUG("Searching for function %s", name); -- if(proc == NULL){ -- DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s", -- name, lt_dlerror()); -- } -- return proc; --} -- -- --/* -- * establishs the connection to the TNCCS without calling functionality. -- * That means that the TNCS-shared-object is loaded and the function-pointer -- * to "exchangeTNCCSMessages" is explored. -- * -- * return: -1 if connect failed, 0 if connect was successful -- */ --int connectToTncs(char *pathToSO){ -- int state = -1; -- if(handle==NULL){ -- handle = lt_dlopen(pathToSO); -- DEBUG("OPENED HANDLE!"); -- } -- -- if(handle==NULL){ -- DEBUG("HANDLE IS NULL"); -- DEBUG("rlm_eap_tnc: Failed to link to library %s: %s", -- pathToSO, lt_dlerror()); -- }else{ -- DEBUG("SO %s found!", pathToSO); -- if(callTNCS==NULL){ -- callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages"); -- } -- if(callTNCS!=NULL){ -- DEBUG("TNCS is connected"); -- state = 0; --// int ret = callTNCS2(2, "Bla", NULL); -- // DEBUG("GOT %d from exchangeTNCCSMessages", ret); -- }else{ -- DEBUG("Could not find exchangeTNCCSMessages"); -- } -- -- } -- return state; --} -- --/* -- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages. -- * -pathToSO: Path to TNCCS-Shared Object -- * -connId: identifies the client which the passed message belongs to. -- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant -- * -input: input-TNCCS-message received from the client with connId -- * -inputLength: length of input-TNCCS-message -- * -isFirst: 1 if first message in fragmentation else 0 -- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)? -- * -overallLength: length of all fragments together (only set if fragmentation) -- * -output: answer-TNCCS-message from the TNCS to the client -- * -outputLength: length of answer-TNCCS-message -- * -answerIsFirst: returned answer is first in row -- * -moreFragmentsFollow: more fragments after this answer -- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer -- * -- * return: state of connection as result of the exchange -- */ --TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO, -- /*in*/ TNC_ConnectionID connId, -- /*in*/ int isAcknoledgement, -- /*in*/ TNC_BufferReference input, -- /*in*/ TNC_UInt32 inputLength, -- /*in*/ int isFirst, -- /*in*/ int moreFragments, -- /*in*/ TNC_UInt32 overallLength, -- /*out*/ TNC_BufferReference *output, -- /*out*/ TNC_UInt32 *outputLength, -- /*out*/ int *answerIsFirst, -- /*out*/ int *moreFragmentsFollow, -- /*out*/ TNC_UInt32 *overallLengthOut){ -- TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; -- int connectStatus = connectToTncs(pathToSO); -- if(connectStatus!=-1){ -- state = callTNCS(connId, -- isAcknoledgement, -- input, -- inputLength, -- isFirst, -- moreFragments, -- overallLength, -- output, -- outputLength, -- answerIsFirst, -- moreFragmentsFollow, -- overallLengthOut); -- DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state); -- }else{ -- DEBUG("CAN NOT CONNECT TO TNCS"); -- } -- return state; --} -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h 1970-01-01 01:00:00.000000000 +0100 -@@ -1,70 +0,0 @@ --/* -- * This software is Copyright (C) 2006,2007 FH Hannover -- * -- * Portions of this code unrelated to FreeRADIUS are available -- * separately under a commercial license. If you require an -- * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA -- * -- */ -- --#ifndef _TNCS_CONNECT_H_ --#define _TNCS_CONNECT_H_ -- --#include "tncs.h" -- --/* -- * establishs the connection to the TNCCS without calling functionality. -- * That means that the TNCS-shared-object is loaded and the function-pointer -- * to "exchangeTNCCSMessages" is explored. -- * -- * return: -1 if connect failed, 0 if connect was successful -- */ --int connectToTncs(char *pathToSO); --/* -- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages. -- * -pathToSO: Path to TNCCS-Shared Object -- * -connId: identifies the client which the passed message belongs to. -- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant -- * -input: input-TNCCS-message received from the client with connId -- * -inputLength: length of input-TNCCS-message -- * -isFirst: 1 if first message in fragmentation else 0 -- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)? -- * -overallLength: length of all fragments together (only set if fragmentation) -- * -output: answer-TNCCS-message from the TNCS to the client -- * -outputLength: length of answer-TNCCS-message -- * -answerIsFirst: returned answer is first in row -- * -moreFragmentsFollow: more fragments after this answer -- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer -- * -- * return: state of connection as result of the exchange -- */ --TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO, -- /*in*/ TNC_ConnectionID connId, -- /*in*/ int isAcknoledgement, -- /*in*/ TNC_BufferReference input, -- /*in*/ TNC_UInt32 inputLength, -- /*in*/ int isFirst, -- /*in*/ int moreFragments, -- /*in*/ TNC_UInt32 overallLength, -- /*out*/ TNC_BufferReference *output, -- /*out*/ TNC_UInt32 *outputLength, -- /*out*/ int *answerIsFirst, -- /*out*/ int *moreFragmentsFollow, -- /*out*/ TNC_UInt32 *overallLengthOut); -- --#endif //_TNCS_CONNECT_H_ -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h 1970-01-01 01:00:00.000000000 +0100 -@@ -1,86 +0,0 @@ --/* -- * This software is Copyright (C) 2006,2007 FH Hannover -- * -- * Portions of this code unrelated to FreeRADIUS are available -- * separately under a commercial license. If you require an -- * implementation of EAP-TNC that is not under the GPLv2, please -- * contact tnc@inform.fh-hannover.de for details. -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA -- * -- */ -- --#ifndef _TNCS_H_ --#define _TNCS_H_ -- -- -- --#ifdef __cplusplus --extern "C" { --#endif -- --/* -- * copied from tncimv.h: -- */ --typedef unsigned long TNC_UInt32; --typedef TNC_UInt32 TNC_ConnectionState; --typedef unsigned char *TNC_BufferReference; --typedef TNC_UInt32 TNC_ConnectionID; -- --#define TNC_CONNECTION_STATE_CREATE 0 --#define TNC_CONNECTION_STATE_HANDSHAKE 1 --#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2 --#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3 --#define TNC_CONNECTION_STATE_ACCESS_NONE 4 --#define TNC_CONNECTION_STATE_DELETE 5 --#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6 -- --/* -- * Accesspoint (as function-pointer) to the TNCS for sending and receiving -- * TNCCS-Messages. -- * -- * -connId: identifies the client which the passed message belongs to. -- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant -- * -input: input-TNCCS-message received from the client with connId -- * -inputLength: length of input-TNCCS-message -- * -isFirst: 1 if first message in fragmentation else 0 -- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)? -- * -overallLength: length of all fragments together (only set if fragmentation) -- * -output: answer-TNCCS-message from the TNCS to the client -- * -outputLength: length of answer-TNCCS-message -- * -answerIsFirst: returned answer is first in row -- * -moreFragmentsFollow: more fragments after this answer -- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer -- * -- * return: state of connection as result of the exchange -- */ --typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId, -- /*in*/ int isAcknoledgement, -- /*in*/ TNC_BufferReference input, -- /*in*/ TNC_UInt32 inputLength, -- /*in*/ int isFirst, -- /*in*/ int moreFragments, -- /*in*/ TNC_UInt32 overallLength, -- /*out*/ TNC_BufferReference *output, -- /*out*/ TNC_UInt32 *outputLength, -- /*out*/ int *answerIsFirst, -- /*out*/ int *moreFragmentsFollow, -- /*out*/ TNC_UInt32 *overallLengthOut --); -- --#ifdef __cplusplus --} --#endif --#endif //_TNCS_H_ -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2012-12-04 19:39:54.749423138 +0100 -@@ -37,6 +37,10 @@ - int copy_request_to_tunnel; - int use_tunneled_reply; - const char *virtual_server; -+ const char *tnc_virtual_server; // virtual server for EAP-TNC as the second inner method -+ VALUE_PAIR *auth_reply; // cache storage of the last reply of the first inner method -+ int auth_code; // cache storage of the reply-code of the first inner method -+ int doing_tnc; // status if we're doing EAP-TNC - } ttls_tunnel_t; - - /* -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2012-12-04 19:39:54.749423138 +0100 -@@ -62,6 +62,11 @@ - * Virtual server for inner tunnel session. - */ - char *virtual_server; -+ -+ /* -+ * Virtual server for the second inner tunnel method, which is EAP-TNC. -+ */ -+ char *tnc_virtual_server; - } rlm_eap_ttls_t; - - -@@ -78,6 +83,9 @@ - { "virtual_server", PW_TYPE_STRING_PTR, - offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL }, - -+ { "tnc_virtual_server", PW_TYPE_STRING_PTR, -+ offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL }, -+ - { "include_length", PW_TYPE_BOOLEAN, - offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" }, - -@@ -171,6 +179,10 @@ - t->copy_request_to_tunnel = inst->copy_request_to_tunnel; - t->use_tunneled_reply = inst->use_tunneled_reply; - t->virtual_server = inst->virtual_server; -+ t->tnc_virtual_server = inst->tnc_virtual_server; // virtual server for EAP-TNC as the second inner method -+ t->auth_reply = NULL; // cache storage of the last reply of the first inner method -+ t->auth_code = -1; // cache storage of the reply-code of the first inner method -+ t->doing_tnc = 0; // status if we're doing EAP-TNC (on start we're doing NOT) - return t; - } - -diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c ---- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-09-10 13:51:34.000000000 +0200 -+++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2012-12-04 19:39:54.749423138 +0100 -@@ -585,6 +585,94 @@ - } - - /* -+ * Start EAP-TNC as a second inner method. -+ * Creates a new fake-request out of the original incoming request (via EAP_HANDLER). -+ * If it's the first time, we create a EAP-START-packet and send -+ * EAP-START := code = PW_EAP_REQUEST -+ * -+ */ -+static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) { -+ REQUEST* request = handler->request; -+ RDEBUG2("EAP-TNC as second inner authentication method starts now"); -+ -+ /* -+ * Allocate a fake REQUEST struct, -+ * to make a new request, based on the original request. -+ */ -+ REQUEST* fake = request_alloc_fake(request); -+ -+ /* -+ * Set the virtual server to that of EAP-TNC. -+ */ -+ fake->server = t->tnc_virtual_server; -+ -+ /* -+ * Build a new EAP-Message. -+ */ -+ VALUE_PAIR *eap_msg; -+ eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS); -+ -+ /* -+ * Set the EAP-Message to look like EAP-Start -+ */ -+ eap_msg->vp_octets[0] = PW_EAP_RESPONSE; -+ eap_msg->vp_octets[1] = 0x00; -+ -+ /* -+ * Only setting EAP-TNC here, -+ * because it is intended to do user-authentication in the first inner method, -+ * and then a hardware-authentication (like EAP-TNC) as the second method. -+ */ -+ eap_msg->vp_octets[4] = PW_EAP_TNC; -+ -+ eap_msg->length = 0; -+ -+ /* -+ * Add the EAP-Message to the request. -+ */ -+ pairadd(&(fake->packet->vps), eap_msg); -+ -+ /* -+ * Process the new request by the virtual server configured for -+ * EAP-TNC. -+ */ -+ rad_authenticate(fake); -+ -+ /* -+ * From now on we're doing EAP-TNC as the second inner authentication method. -+ */ -+ t->doing_tnc = TRUE; -+ -+ return fake; -+} -+ -+/* -+ * Stop EAP-TNC as a second inner method. -+ * Copy the value pairs from the cached Access-Accept of the first inner method -+ * to the Access-Accept/Reject package of EAP-TNC. -+ */ -+static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) { -+ RDEBUG2("EAP-TNC as second inner authentication method stops now"); -+ -+ /* -+ * Copy the value-pairs of the origina Access-Accept of the first -+ * inner authentication method to the Access-Accept/Reject of the -+ * second inner authentication method (EAP-TNC). -+ */ -+ if (request->reply->code == PW_AUTHENTICATION_ACK) { -+ pairadd(&(request->reply->vps), t->auth_reply); -+ } else if (request->reply->code == PW_AUTHENTICATION_REJECT) { -+ pairadd(&(request->reply->vps), t->auth_reply); -+ } -+ -+ pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR); -+ pairdelete(&(request->reply->vps), PW_PROXY_STATE); -+ pairdelete(&(request->reply->vps), PW_USER_NAME); -+ -+ return request; -+} -+ -+/* - * Use a reply packet to determine what to do. - */ - static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, -@@ -1135,6 +1223,16 @@ - - } /* else fake->server == request->server */ - -+ /* -+ * If we're doing EAP-TNC as a second method, -+ * then set the server to that one. -+ * Then, rad_authenticate will run EAP-TNC, -+ * so that afterwards we have to look for the state of -+ * EAP-TNC. -+ */ -+ if (t->doing_tnc) { -+ fake->server = t->tnc_virtual_server; -+ } - - if ((debug_flag > 0) && fr_log_fp) { - RDEBUG("Sending tunneled request"); -@@ -1248,6 +1346,53 @@ - - default: - /* -+ * If the result of the first method was an acknowledgment OR -+ * if were already running EAP-TNC, -+ * we're doing additional things before processing the reply. -+ * Also the configuration for EAP-TTLS has to contain a virtual server -+ * for EAP-TNC as the second method. -+ */ -+ if (t->tnc_virtual_server) { -+ /* -+ * If the reply code of the first inner method is PW_AUTHENTICATION_ACK -+ * which means that the method was successful, -+ * and we're not doing EAP-TNC as the second method, -+ * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method. -+ */ -+ if (fake->reply->code == PW_AUTHENTICATION_ACK -+ && t->doing_tnc == FALSE) { -+ RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code); -+ -+ /* -+ * Save reply-value pairs and reply-code of the first method. -+ */ -+ t->auth_reply = fake->reply->vps; -+ fake->reply->vps = NULL; -+ t->auth_code = fake->reply->code; -+ -+ /* -+ * Create the start package for EAP-TNC. -+ */ -+ fake = start_tnc(handler, t); -+ -+ /* -+ * If we're doing EAP-TNC as the second inner method, -+ * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT, -+ * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject. -+ */ -+ } else if (t->doing_tnc == TRUE -+ && (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) { -+ -+ /* -+ * Create the combined Access-Accept or -Reject. -+ */ -+ RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code, -+ fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT"); -+ fake = stop_tnc(fake, t); -+ } -+ } -+ -+ /* - * Returns RLM_MODULE_FOO, and we want to return - * PW_FOO - */ diff --git a/testing/scripts/recipes/patches/hostapd-config b/testing/scripts/recipes/patches/hostapd-config deleted file mode 100644 index b26d2783f..000000000 --- a/testing/scripts/recipes/patches/hostapd-config +++ /dev/null @@ -1,38 +0,0 @@ -diff -u -ur hostapd-2.0.orig/hostapd/defconfig hostapd-2.0/hostapd/defconfig ---- hostapd-2.0.orig/hostapd/defconfig 2013-01-12 16:42:53.000000000 +0100 -+++ hostapd-2.0/hostapd/defconfig 2016-06-15 17:32:57.000000000 +0200 -@@ -13,14 +13,14 @@ - CONFIG_DRIVER_HOSTAP=y - - # Driver interface for wired authenticator --#CONFIG_DRIVER_WIRED=y -+CONFIG_DRIVER_WIRED=y - - # Driver interface for madwifi driver - #CONFIG_DRIVER_MADWIFI=y - #CFLAGS += -I../../madwifi # change to the madwifi source directory - - # Driver interface for drivers using the nl80211 kernel interface --CONFIG_DRIVER_NL80211=y -+#CONFIG_DRIVER_NL80211=y - - # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) - #CONFIG_DRIVER_BSD=y -@@ -30,7 +30,7 @@ - #LIBS_c += -L/usr/local/lib - - # Driver interface for no driver (e.g., RADIUS server only) --#CONFIG_DRIVER_NONE=y -+CONFIG_DRIVER_NONE=y - - # IEEE 802.11F/IAPP - CONFIG_IAPP=y -@@ -152,7 +152,7 @@ - - # Add support for writing debug log to a file: -f /tmp/hostapd.log - # Disabled by default. --#CONFIG_DEBUG_FILE=y -+CONFIG_DEBUG_FILE=y - - # Remove support for RADIUS accounting - #CONFIG_NO_ACCOUNTING=y \ No newline at end of file diff --git a/testing/scripts/recipes/patches/tnc-fhh-tncsim b/testing/scripts/recipes/patches/tnc-fhh-tncsim deleted file mode 100644 index 42c714480..000000000 --- a/testing/scripts/recipes/patches/tnc-fhh-tncsim +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fe65134512ea..3c5255f21ea6 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -101,7 +101,6 @@ IF(${COMPONENT} STREQUAL "ALL") - add_subdirectory(tncxacml) - add_subdirectory(imcv) - add_subdirectory(tncs) -- add_subdirectory(tncsim) - - IF(${NAL} STREQUAL "8021X" OR ${NAL} STREQUAL "ALL") - add_subdirectory(naaeap) diff --git a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc deleted file mode 100644 index 2e00e5b44..000000000 --- a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc +++ /dev/null @@ -1,47 +0,0 @@ -diff -urN wpa_supplicant-2.0.ori/src/eap_peer/tncc.c wpa_supplicant-2.0/src/eap_peer/tncc.c ---- wpa_supplicant-2.0.ori/src/eap_peer/tncc.c 2013-01-12 16:42:53.000000000 +0100 -+++ wpa_supplicant-2.0/src/eap_peer/tncc.c 2013-03-23 13:10:22.151059154 +0100 -@@ -465,7 +465,7 @@ - return -1; - } - #else /* CONFIG_NATIVE_WINDOWS */ -- imc->dlhandle = dlopen(imc->path, RTLD_LAZY); -+ imc->dlhandle = dlopen(imc->path, RTLD_LAZY | RTLD_GLOBAL); - if (imc->dlhandle == NULL) { - wpa_printf(MSG_ERROR, "TNC: Failed to open IMC '%s' (%s): %s", - imc->name, imc->path, dlerror()); -diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/defconfig wpa_supplicant-2.0/wpa_supplicant/defconfig ---- wpa_supplicant-2.0.ori/wpa_supplicant/defconfig 2013-01-12 16:42:53.000000000 +0100 -+++ wpa_supplicant-2.0/wpa_supplicant/defconfig 2013-03-23 13:06:08.759052370 +0100 -@@ -86,7 +86,7 @@ - CONFIG_DRIVER_WEXT=y - - # Driver interface for Linux drivers using the nl80211 kernel interface --CONFIG_DRIVER_NL80211=y -+#CONFIG_DRIVER_NL80211=y - - # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) - #CONFIG_DRIVER_BSD=y -@@ -193,7 +193,7 @@ - #CONFIG_EAP_GPSK_SHA256=y - - # EAP-TNC and related Trusted Network Connect support (experimental) --#CONFIG_EAP_TNC=y -+CONFIG_EAP_TNC=y - - # Wi-Fi Protected Setup (WPS) - #CONFIG_WPS=y -diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/Makefile wpa_supplicant-2.0/wpa_supplicant/Makefile ---- wpa_supplicant-2.0.ori/wpa_supplicant/Makefile 2013-01-12 16:42:53.000000000 +0100 -+++ wpa_supplicant-2.0/wpa_supplicant/Makefile 2013-03-23 13:06:08.759052370 +0100 -@@ -6,8 +6,8 @@ - CFLAGS = -MMD -O2 -Wall -g - endif - --export LIBDIR ?= /usr/local/lib/ --export BINDIR ?= /usr/local/sbin/ -+export LIBDIR ?= /usr/lib/ -+export BINDIR ?= /usr/sbin/ - PKG_CONFIG ?= pkg-config - - CFLAGS += -I../src diff --git a/testing/testing.conf b/testing/testing.conf index 92b9693c1..7d8480c1f 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -24,18 +24,14 @@ fi : ${TESTDIR=/srv/strongswan-testing} # Kernel configuration -<<<<<<< Updated upstream -: ${KERNELVERSION=4.18.9} -======= -: ${KERNELVERSION=4.15.9} ->>>>>>> Stashed changes +: ${KERNELVERSION=4.20} : ${KERNEL=linux-$KERNELVERSION} : ${KERNELTARBALL=$KERNEL.tar.xz} -: ${KERNELCONFIG=$DIR/../config/kernel/config-4.15} -: ${KERNELPATCH=ha-4.15.6-abicompat.patch.bz2} +: ${KERNELCONFIG=$DIR/../config/kernel/config-4.19} +: ${KERNELPATCH=ha-4.16-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.7.0} +: ${SWANVERSION=5.7.2} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} @@ -52,8 +48,8 @@ fi # Base image settings # The base image is a pristine OS installation created using debootstrap. -: ${BASEIMGSIZE=1600} -: ${BASEIMGSUITE=jessie} +: ${BASEIMGSIZE=1800} +: ${BASEIMGSUITE=stretch} : ${BASEIMGARCH=amd64} : ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT} : ${BASEIMGMIRROR=http://http.debian.net/debian} diff --git a/testing/tests/botan/net2net-ed25519/description.txt b/testing/tests/botan/net2net-ed25519/description.txt new file mode 100755 index 000000000..8c67989f4 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates containing Ed25519 keys. +moon uses the botan plugin based on the Botan library for all +cryptographical functions whereas sun uses the default strongSwan +cryptographical plugins. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/botan/net2net-ed25519/evaltest.dat b/testing/tests/botan/net2net-ed25519/evaltest.dat new file mode 100755 index 000000000..ebbb8ae75 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/evaltest.dat @@ -0,0 +1,7 @@ +moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..508c30a00 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random pem x509 revocation constraints pubkey botan +} + +charon-systemd { + load = random nonce pem x509 botan revocation curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem new file mode 100644 index 000000000..491d36430 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk +-----END PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bcc2742f7 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..e67b224b6 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA +4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw +FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz +d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww +BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX +8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..9c5a06945 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw +GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g +RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow +TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG +A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G +lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4 +MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv +OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..a35aea01c --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem new file mode 100644 index 000000000..b83f62c13 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0 +-----END PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..12cee0fc6 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 000000000..70af02017 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT +EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5 +IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD +VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF +ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn +HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW +gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh +bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0 +cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG +AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq +8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..9c5a06945 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw +GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g +RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow +TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG +A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G +lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4 +MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv +OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-ed25519/posttest.dat b/testing/tests/botan/net2net-ed25519/posttest.dat new file mode 100755 index 000000000..30f6ede76 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/swanctl/pkcs8/* +sun::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/botan/net2net-ed25519/pretest.dat b/testing/tests/botan/net2net-ed25519/pretest.dat new file mode 100755 index 000000000..410253e54 --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/pretest.dat @@ -0,0 +1,9 @@ +moon::rm /etc/swanctl/rsa/moonKey.pem +sun::rm /etc/swanctl/rsa/sunKey.pem +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/botan/net2net-ed25519/test.conf b/testing/tests/botan/net2net-ed25519/test.conf new file mode 100755 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/botan/net2net-ed25519/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/botan/net2net-pkcs12/description.txt b/testing/tests/botan/net2net-pkcs12/description.txt new file mode 100644 index 000000000..1d40e30f0 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and an RSA private key stored in +PKCS12 format. +

+Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/botan/net2net-pkcs12/evaltest.dat b/testing/tests/botan/net2net-pkcs12/evaltest.dat new file mode 100644 index 000000000..bfc7e76f1 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/evaltest.dat @@ -0,0 +1,5 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1d9a7c08b --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 new file mode 100644 index 000000000..365da741f Binary files /dev/null and b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 differ diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b11cf0f3e --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-moon { + file = moonCert.p12 + secret = "kUqd8O7mzbjXNJKQ" + } +} diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..1d9a7c08b --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 new file mode 100644 index 000000000..e2cd2f21d Binary files /dev/null and b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 differ diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..28c0e87a4 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-sun { + file = sunCert.p12 + secret = "IxjQVCF3JGI+MoPi" + } +} diff --git a/testing/tests/botan/net2net-pkcs12/posttest.dat b/testing/tests/botan/net2net-pkcs12/posttest.dat new file mode 100644 index 000000000..9802f442d --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/posttest.dat @@ -0,0 +1,6 @@ +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/swanctl/pkcs12/moonCert.p12 +sun::rm /etc/swanctl/pkcs12/sunCert.p12 diff --git a/testing/tests/botan/net2net-pkcs12/pretest.dat b/testing/tests/botan/net2net-pkcs12/pretest.dat new file mode 100644 index 000000000..22ffcf949 --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/pretest.dat @@ -0,0 +1,9 @@ +moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem +sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/botan/net2net-pkcs12/test.conf b/testing/tests/botan/net2net-pkcs12/test.conf new file mode 100644 index 000000000..87abc763b --- /dev/null +++ b/testing/tests/botan/net2net-pkcs12/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/description.txt b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt new file mode 100755 index 000000000..2db82a941 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates with signatures consisting of +RSA-encrypted SHA-3 hashes. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat new file mode 100755 index 000000000..4c56d5299 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..51a7747d7 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem x509 revocation constraints pubkey botan random +} + +charon-systemd { + load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..f24b3ebf3 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq +pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV +T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N +Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt +UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/ +XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY +v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA +G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp +qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V +/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK +8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/ +8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc +6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G +NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE +DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU +z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD +01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU +bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId +23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/ +Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p +F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA +29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/ +XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F +/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX +SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu +8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq +TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE +miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ +p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du +ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli +CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6 +dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH +gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY +3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc +gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN +vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV +E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bcc2742f7 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..bea7e81f8 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky +MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v +cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6 +ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF +kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9 +ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE +6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS +4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW +GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA +bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP +tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf +BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u +LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw +N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz +LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT +UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo +tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs +jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl +noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2 +pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc +gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA +5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79 +ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..51a7747d7 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem x509 revocation constraints pubkey botan random +} + +charon-systemd { + load = random nonce pem x509 revocation constraints pubkey botan curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem new file mode 100644 index 000000000..a694bbb8f --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K +ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p +DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu +MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO ++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r +ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H +WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6 +Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/ +bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex +ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/ +d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ +e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI +zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW +63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc +Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n +vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz +aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+ +slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20 +pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0 +ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie +1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL +c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH +xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T +X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K +qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB +VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88 +oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF +dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov +2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI +pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN +VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo +qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx +JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8 +ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw +kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk +nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq +hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3 +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..12cee0fc6 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 000000000..f1c086ee9 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky +MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y +ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR +2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/ +W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu +pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA +xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC +ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G +/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt +WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5 +/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G +A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z +dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg +NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y +c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7 +nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0 +cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK +F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8 +1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB +hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS +ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+ +jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw +MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk= +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat new file mode 100755 index 000000000..755f0e5f8 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat new file mode 100755 index 000000000..9440ddab0 --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/botan/net2net-sha3-rsa-cert/test.conf b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf new file mode 100755 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/botan/net2net-sha3-rsa-cert/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..b2072d1f4 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} \ No newline at end of file diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..07178dc5e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,56 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + suffix + files + eap { + ok = return + } +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..4fb07b912 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat index b4c7637ac..377aedf1b 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..27a42d00f --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,53 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + suffix + files + pap +} + +authenticate { + Auth-Type PAP { + pap + } +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { +} + +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..4fb07b912 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat index b4c7637ac..377aedf1b 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt index 6be21bf8f..876aa7980 100644 --- a/testing/tests/ikev2/host2host-cert/description.txt +++ b/testing/tests/ikev2/host2host-cert/description.txt @@ -1,4 +1,6 @@ A connection between the hosts moon and sun is successfully set up. -The authentication is based on X.509 certificates. leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat index 7e343efa5..dcf573b59 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat @@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat index 7e343efa5..dcf573b59 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat @@ -6,4 +6,4 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..aa6f98076 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default index 91425f812..2968646e5 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default @@ -2,13 +2,23 @@ authorize { preprocess chap mschap - sim_files suffix + files + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } unix - files expiration logintime pap diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index aaabab89e..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -228060123456001,30000000000000000000000000000000,30112233,305566778899AABB -228060123456001,31000000000000000000000000000000,31112233,315566778899AABB -228060123456001,32000000000000000000000000000000,32112233,325566778899AABB -228060123456002,33000000000000000000000000000000,33112233,335566778899AABB -228060123456002,34000000000000000000000000000000,34112233,345566778899AABB -228060123456002,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users index e69de29bb..aa6f98076 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat index 6a4da6631..4069be9ce 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat index 9ffd27f1e..f3fdfe6ff 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -1,10 +1,6 @@ -alice::cat /etc/freeradius/clients.conf -alice::cat /etc/freeradius/eap.conf -alice::cat /etc/freeradius/proxy.conf -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/nat-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt index c74897d9a..9bef3cd18 100644 --- a/testing/tests/ikev2/nat-rw-psk/description.txt +++ b/testing/tests/ikev2/nat-rw-psk/description.txt @@ -1,6 +1,7 @@ The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. -Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway sun. +Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway sun. +

leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/nat-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt index dcf4b94bd..58b28bad2 100644 --- a/testing/tests/ikev2/nat-rw/description.txt +++ b/testing/tests/ikev2/nat-rw/description.txt @@ -1,5 +1,7 @@ The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Authentication is based on X.509 certificates. +

leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt index 02cddbb83..07320d731 100644 --- a/testing/tests/ikev2/net2net-psk/description.txt +++ b/testing/tests/ikev2/net2net-psk/description.txt @@ -1,6 +1,7 @@ A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on Preshared Keys (PSK). Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically +The authentication is based on Preshared Keys (PSK). +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt index 6d886024b..893a27230 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/description.txt @@ -1,9 +1,11 @@ -at the outset the gateway authenticates itself to the client by sending an -IKEv2 RSA signature accompanied by a certificate. The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with the Authentication and Key Agreement protocol -(EAP-AKA) to authenticate against the gateway. This protocol is used -in UMTS, but here a secret from ipsec.secrets is used instead of a USIM/(R)UIM. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in ipsec.secrets +is used instead of a USIM/(R)UIM device. +

In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol uses the EAP identity carol. diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt index 1277081b9..da5b72735 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt @@ -1,7 +1,8 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with the Authentication and Key Agreement protocol -(EAP-AKA) to authenticate against the gateway. This protocol is used -in UMTS, but here a secret from ipsec.secrets is used instead of a USIM/(R)UIM. -Gateway moon additionally uses an RSA signature to authenticate itself -against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in ipsec.secrets +is used instead of a USIM/(R)UIM device. \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..1dc69d90d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..ba92f0080 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,4 @@ +carol Cleartext-Password := "Ar3etTnp" + Framed-IP-Address = 10.3.0.1 +dave Cleartext-Password := "W7R0g3do" + Framed-IP-Address = 10.3.0.2 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat index fa2d7eeb9..c98e8ed53 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..1dc69d90d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..62d459115 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,4 @@ +carol Cleartext-Password := "Ar3etTnp" + Class = "Research" +dave Cleartext-Password := "W7R0g3do" + Class = "Accounting" diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat index 303139615..e63c57e72 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..1dc69d90d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat index b27673c6d..012323f8f 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat index b27673c6d..012323f8f 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt index d376ee5a8..08fd89b65 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with an MD5 challenge and response protocol -(EAP-MD5) to authenticate against the gateway. The user password -is kept in ipsec.secrets on both gateway and client -Gateway moon additionally uses an RSA signature to authenticate itself -against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. + diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt index 4feadff4c..95afc08b5 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt @@ -1,8 +1,10 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with the Microsoft CHAP version 2 protocol -(EAP-MSCHAPV2) to authenticate against the gateway. This protocol is used -e.g. by the Windows 7 Agile VPN client. -In addition to her IKEv2 identity PH_IP_CAROL, roadwarrior carol -uses the EAP identy carol. Gateway moon additionally uses an RSA signature -to authenticate itself against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Microsoft CHAP version 2 (EAP-MSCHAPV2) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client. +

+In addition to her IKEv2 identity which defaults to her IP address, +roadwarrior carol uses the EAP identity carol. diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..0ae8befe4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = peap + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + peap { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat index fa2d7eeb9..c98e8ed53 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt index 0531a559f..41abb363c 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt @@ -1,13 +1,13 @@ The roadwarrior carol sets up a connection to gateway moon. At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module -(EAP-SIM) to authenticate against the gateway moon. -In this scenario triplets from the file /etc/ipsec.d/triplets.dat -are used instead of a physical SIM card on the client carol and -the gateway forwards all EAP messages to the RADIUS server alice +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice which also uses static triplets. In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol uses the EAP identity 228060123456001. - diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..1c281a974 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default index 893529324..1dc666992 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,5 +1,16 @@ authorize { - sim_files + files + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index c167ba940..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,3 +0,0 @@ -228060123456001,30000000000000000000000000000000,30112233,305566778899AABB -228060123456001,31000000000000000000000000000000,31112233,315566778899AABB -228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users index e69de29bb..1c281a974 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat index 122ee2283..53aa83f0c 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat @@ -1,8 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt index d50175664..26de3c982 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt @@ -1,14 +1,15 @@ -The roadwarrior carol sets up a connection to gateway moon. -The gateway moon does not send an AUTH payload thus signalling +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway does not send an AUTH payload thus signalling a mutual EAP-only authentication. -carol then uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module -(EAP-SIM) to authenticate against the gateway moon. -In this scenario, triplets from the file /etc/ipsec.d/triplets.dat -are used instead of a physical SIM card on the client carol. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

The gateway forwards all EAP messages to the RADIUS server alice -which also uses a static triplets file. -

+which also uses static triplets. +

The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence -the radius server alice returns an Access-Reject message -and the gateway moon sends back an EAP_FAILURE. +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default index fbdf75f4c..8d68b81fc 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default @@ -1,6 +1,17 @@ authorize { - sim_files + files suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index 3e9a644eb..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB -carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB -carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB -dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB -dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB -dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users index e69de29bb..a74267d30 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat index 9614686c2..04b824def 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat @@ -7,10 +7,9 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-radius/description.txt index 6c3c71987..5cb1bacdc 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-radius/description.txt @@ -1,14 +1,15 @@ -The roadwarrior carol sets up a connection to gateway moon. -At the outset the gateway authenticates itself to the client by sending -an IKEv2 RSA signature accompanied by a certificate. -carol then uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module -(EAP-SIM) to authenticate against the gateway moon. -In this scenario, triplets from the file /etc/ipsec.d/triplets.dat -are used instead of a physical SIM card on the client carol. +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway authenticates itself to the clients by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

The gateway forwards all EAP messages to the RADIUS server alice -which also uses a static triplets file. -

+which also uses static triplets. +

The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence -the radius server alice returns an Access-Reject message -and the gateway moon sends back an EAP_FAILURE. +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default index 91425f812..51b64a74b 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default @@ -2,8 +2,19 @@ authorize { preprocess chap mschap - sim_files + files suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index 3e9a644eb..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB -carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB -carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB -dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB -dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB -dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users index e69de29bb..a74267d30 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat index 52d5962f4..e171997bc 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat @@ -1,13 +1,9 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::cat /etc/freeradius/clients.conf -alice::cat /etc/freeradius/eap.conf -alice::cat /etc/freeradius/proxy.conf -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt index 686241809..4401e679f 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt @@ -1,7 +1,8 @@ The roadwarrior carol sets up a connection to gateway moon. -carol uses the Extensible Authentication Protocol -in association with a GSM Subscriber Identity Module (EAP-SIM) -to authenticate against the gateway. In this scenario triplets from the file -/etc/ipsec.d/triplets.dat are used instead of a physical SIM card. -Gateway moon additionally uses an RSA signature to authenticate -itself against carol. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..e8670dbb7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,16 @@ +eap { + default_eap_type = tls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + tls { + tls = tls-common + } +} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..060702784 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,55 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf index ef5666914..6907b7657 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -9,7 +9,3 @@ charon { } } } - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat index 181949fb5..4361417fd 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat index b27673c6d..012323f8f 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt deleted file mode 100644 index d5f0b267a..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -The strong mutual authentication is based on EAP-TTLS only (without a separate IKEv2 -authentication) with the gateway being authenticated by a server certificate during the -EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client -authentication based on EAP-MD5 (phase2 of EAP-TTLS). -

-With the setting charon.plugins.eap-ttls.phase2_piggyback = yes the server moon -initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request -right onto the TLS Finished message. Client carol presents the correct MD5 password -and succeeds whereas client dave chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat deleted file mode 100644 index 2285608b8..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES -carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES -dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 576d2cb99..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" - rightauth=any - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf deleted file mode 100644 index fa1febe0f..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ba52ec31e..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" - rightauth=any - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index d5631a9f5..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf deleted file mode 100644 index fa1febe0f..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 738481257..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 0ff7725ca..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown - multiple_authentication=no - - syslog { - daemon { - tls = 2 - } - } - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat deleted file mode 100644 index dccf85419..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7450c71c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = ttls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + ttls { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat index 670d2e72f..a6619d02b 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::killall radiusd +alice::killall freeradius moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index fa2d7eeb9..c98e8ed53 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..dafe7f052 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,64 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +listen { + type = acct + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat index 98f7a6954..66416eb28 100644 --- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat @@ -1,6 +1,6 @@ carol::ipsec stop moon::ipsec stop -alice::killall radiusd +alice::killall freeradius alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/* carol::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat index 7ec7c1226..d3c345200 100644 --- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/* -alice::radiusd +alice::freeradius moon::ipsec start carol::ipsec start moon::expect-connection rw-eap diff --git a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat index 186ce4e06..c792f3a7e 100644 --- a/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/host2host-ikev1/evaltest.dat @@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat index 186ce4e06..c792f3a7e 100644 --- a/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/host2host-ikev2/evaltest.dat @@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat index 4cf23a31b..d2db56eb8 100644 --- a/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ikev1/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat index 4cf23a31b..d2db56eb8 100644 --- a/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ikev2/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat index 803cf5ef5..5fef8bbb1 100644 --- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat index 803cf5ef5..5fef8bbb1 100644 --- a/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -2,6 +2,6 @@ moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun sun:: ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat index 0e125b70e..c3bbe341f 100644 --- a/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ikev1/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat index 0e125b70e..c3bbe341f 100644 --- a/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ikev2/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat index f6dc9aa3e..5178076a3 100644 --- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat index f6dc9aa3e..5178076a3 100644 --- a/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat index 16982a736..52e4bf623 100644 --- a/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-psk-ikev1/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat index 16982a736..52e4bf623 100644 --- a/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/rw-psk-ikev2/evaltest.dat @@ -6,8 +6,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat index 5ae9d2c12..7a6fc302e 100644 --- a/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat +++ b/testing/tests/ipv6-stroke/transport-ikev1/evaltest.dat @@ -4,6 +4,6 @@ moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat index 0dfba54ea..6e6de5e96 100644 --- a/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6-stroke/transport-ikev2/evaltest.dat @@ -5,6 +5,6 @@ sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat index ef6ec2b98..b7b92d020 100644 --- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat @@ -1,4 +1,4 @@ -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat index 23add7ae5..f3068ce8b 100644 --- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat +++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat index 877459c88..bbf6c2ea3 100644 --- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat index a3e2bad94..97e0de01c 100644 --- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat index 591e2da59..f85d6127f 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat index 2ee553a61..b776ea938 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat index 72dade743..21569bdaa 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES sun:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES -alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun ::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat index 1202a99d2..a199765a0 100644 --- a/testing/tests/ipv6/rw-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat index d5d5a6b1c..aa450e296 100644 --- a/testing/tests/ipv6/rw-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat index 026235171..394521b25 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat index dd120f524..f4c8851c0 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat index e92aa028d..5009bf41f 100644 --- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat @@ -1,6 +1,6 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat index ce79801ec..b748003e8 100644 --- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat index 082416d60..9016ba473 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat @@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block c moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP..*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat index 736425d36..659ca42ab 100644 --- a/testing/tests/ipv6/transport-ikev1/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat @@ -1,6 +1,6 @@ moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=1 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat index 48ddcd069..a754598f9 100644 --- a/testing/tests/ipv6/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat @@ -1,6 +1,6 @@ moon::ip xfrm state::mode transport::YES sun:: ip xfrm state::mode transport::YES -moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES +moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1::YES moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat index e9a30b9ac..cdb8ead3c 100644 --- a/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat @@ -1,4 +1,4 @@ -alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org: icmp_seq=3::YES +alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt index b3515c333..4b8eeb87e 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/description.txt +++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt @@ -1,4 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as -the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 -in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite +camellia256-sha512-modp3072 as well as the ESP cipher suite camellia192-sha384. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat index 937860593..68edc54b7 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat @@ -1,10 +1,6 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4628311d4..000000000 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bdde28391 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 1 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index da1fbf06b..000000000 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..116e06c26 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 1 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat index 046d4cfdc..2b00bea8e 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat index e34f70277..ae2c30429 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/test.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt index a1f31495d..773e43a35 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_256 and ECP_384 whereas dave proposes ECP_256 and ECP_521. Since moon does not support ECP_256 the roadwarriors fall back to ECP_384 and ECP_521, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat index 553c79451..2cc3382df 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat @@ -1,15 +1,9 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2ed83f06a..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256,aes192-sha384-ecp384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3ed559068 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384 + } + } + version = 1 + proposals = aes128-sha256-ecp256,aes192-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 105ec3ce4..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256,aes256-sha512-ecp521! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf index fde691e96..5b59e8d55 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b5a2be9e8 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521 + } + } + version = 1 + proposals = aes128-sha256-ecp256,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 0a312b394..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-ecp384,aes256-sha512-ecp521! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7c5b3080d --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521 + } + } + version = 1 + proposals = aes192-sha384-ecp384,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt index 84b6eb4bf..c365455d0 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 +plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes des sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_192 and ECP_224 whereas dave proposes ECP_192 and ECP_256. Since moon does not support ECP_192 the roadwarriors fall back to ECP_224 and ECP_256, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat index 327d63bf8..183f5e97f 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat @@ -1,17 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 6fe17a9ee..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-ecp192,3des-sha256-ecp224! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..013e6b1bc --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } + } + version = 1 + proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ade897727..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes192-sha384-ecp192,aes128-sha256-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf index fde691e96..6c9cf718d 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4f5c016c2 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256 + } + } + version = 1 + proposals = 3des-sha1-ecp192,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 3992b52fb..000000000 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-sha256-ecp224,aes128-sha256-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..417ad0508 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256 + } + } + version = 1 + proposals = 3des-sha256-ecp224,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt index 4f855eb1a..3bbcdfa32 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt @@ -1,11 +1,12 @@ The hosts carol, dave, and moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on ECDSA signatures using Elliptic Curve certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat index 9a8516dad..2127b2bf4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat @@ -1,11 +1,3 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_NULL successful::YES @@ -14,6 +6,10 @@ carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECD dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 1527867c7..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c277ba4f6..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C - -CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH -7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB -71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem new file mode 100644 index 000000000..c277ba4f6 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C + +CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH +7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB +71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..abf46a755 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 1 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + ecdsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..646f6e8e3 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C +Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud +EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ +aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u +Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 +cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n +c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA +7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm +q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE +gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf deleted file mode 100644 index ed9410c04..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 40a76935e..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n -2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco -AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B -Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem new file mode 100644 index 000000000..40a76935e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n +2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco +AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B +Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..3981ac2ea --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-ecp384 + } + } + version = 1 + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..35b3df49a --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 +7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ +rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd +BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT +tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 +onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 +MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l +Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq +duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 +d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP +GnRyvRuhwRkbBIGt6l1mbA== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 359029d02..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem new file mode 100644 index 000000000..24f07b5d7 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B +qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb +Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ +7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd +lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1ddf9621e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256 + } + } + version = 1 + proposals = aes256-aes128-sha384-sha256-ecp384-ecp256 + } +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..a4962286e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI +zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr +dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx +JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu +M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl +8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB +7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G +A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr +aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq +hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT +tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 +ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN +Vjo6NkA= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat index 1865a1c60..3d10c0f1f 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat @@ -1,6 +1,11 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::rm /etc/swanctl/ecdsa/carolKey.pem +dave::rm /etc/swanctl/ecdsa/daveKey.pem +moon::rm /etc/swanctl/ecdsa/moonKey.pem moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat index e87a8ee47..c86fdede5 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/carolKey.pem +dave::rm /etc/swanctl/rsa/daveKey.pem +moon::rm /etc/swanctl/rsa/moonKey.pem +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt deleted file mode 100644 index cfa7a11b9..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt +++ /dev/null @@ -1,16 +0,0 @@ -The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 certificate -functions whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp hmac gcm and x509. -

-Roadwarrior carol proposes to gateway moon the cipher suite -AES_GCM_16_256 both for IKE and ESP by defining ike=aes256gcm16-prfsha512-modp2048 -(or alternatively aes256gcm128) and esp=aes256gcm16-modp2048 in ipsec.conf, -respectively. -

-Roadwarrior dave proposes to gateway moon the cipher suite -AES_GCM_16_128 both for IKE and ESP by defining ike=aes128gcm16-prfsha256-modp1536 -(or alternatively aes128gcm128) and esp=aes128gcm16-modp1536 in ipsec.conf, -respectively. -

-A ping by carol and dave to alice successfully checks the established tunnels. diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat deleted file mode 100644 index 44bd75895..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat +++ /dev/null @@ -1,26 +0,0 @@ -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES -moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES -dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES -moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES -moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES -carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES -dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES -moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES -carol::ip xfrm state::aead rfc4106(gcm(aes))::YES -dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES - diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c0016ff61..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm128-prfsha512-modp2048! - esp=aes256gcm128-modp2048! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4a7e09c6a..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 335eda02c..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-modp1536! - esp=aes128gcm128-modp1536! - -conn home - left=PH_IP_DAVE - leftfirewall=yes - leftcert=daveCert.pem - leftid=dave@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 99069ae82..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 566298bed..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536! - esp=aes256gcm16-modp2048,aes128gcm16-modp1536! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4a7e09c6a..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce revocation openssl curl stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat deleted file mode 100644 index e87a8ee47..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf deleted file mode 100644 index c3f38054b..000000000 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol dave winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt deleted file mode 100644 index d30d9d2da..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The roadwarriors carol and dave as well as the gateway moon -use the openssl plugin based on the OpenSSL library for all -cryptographical functions, thus making the Blowfish available as an IKEv2 cipher. -

-The roadwarriors carol and dave set up a connection each -to gateway moon using Blowfish for both IKE and ESP -encryption. Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, both carol and dave ping -the client alice behind the gateway moon. - diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat deleted file mode 100644 index a4f1f2998..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat +++ /dev/null @@ -1,17 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES -dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES -dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES -carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES -dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES - diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf deleted file mode 100644 index adee238e6..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish256-sha512-modp2048! - esp=blowfish192-sha384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4a5e52dbd..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf deleted file mode 100644 index e22322431..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish128-sha256-modp1536! - esp=blowfish128-sha256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 4a5e52dbd..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 43bbb36a9..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! - esp=blowfish192-sha384,blowfish128-sha256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4a5e52dbd..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat deleted file mode 100644 index e87a8ee47..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt index b3515c333..4b8eeb87e 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/description.txt +++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt @@ -1,4 +1,3 @@ -Roadwarrior carol proposes to gateway moon the IKE cipher suite CAMELLIA_CBC_256 / -HMAC_SHA2_512_256 / MODP_2048 by defining ike=camellia256-sha256-modp2048 as well as -the ESP cipher suite CAMELLIA_CBC_192 / HMAC_SHA1_96 by defining esp=camellia192-sha1 -in ipsec.conf. A ping from carol to alice successfully checks the established tunnel. +Roadwarrior carol proposes to gateway moon the IKE cipher suite +camellia256-sha512-modp3072 as well as the ESP cipher suite camellia192-sha384. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat index 937860593..8a2e36baa 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat @@ -1,10 +1,6 @@ -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES -moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES -carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES -carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: ip xfrm state::enc cbc(camellia)::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f0bbfc10f..000000000 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ebdb473fb --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8481f8974..000000000 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=camellia256-sha512-modp3072! - esp=camellia192-sha384! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 976544b24..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..90c566bb6 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = camellia192-sha384 + } + } + version = 2 + proposals = camellia256-sha512-modp3072 + } +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat index 046d4cfdc..2b00bea8e 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat @@ -1,4 +1,5 @@ -moon::ipsec stop -carol::ipsec stop +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat index e34f70277..ae2c30429 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection net carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf index 4a5fc470f..307c7e9cc 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/test.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt index d0ae5a823..e37d5489c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the Brainpool DH groups ECP_256_BP and ECP_384_BP whereas dave proposes ECP_256_BP and ECP_512_B P. Since moon does not support ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat index ebc7752f2..746d90280 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat @@ -1,19 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_512_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf deleted file mode 100644 index bfca8965f..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..893130d66 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256bp,aes192gcm16-ecp384bp + } + } + version = 2 + proposals = aes128-sha256-ecp256bp,aes192-sha384-ecp384bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 2b16165dc..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf index fde691e96..5b59e8d55 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e522d15d7 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256bp,aes256gcm16-ecp512bp + } + } + version = 2 + proposals = aes128-sha256-ecp256bp,aes256-sha512-ecp512bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 8c02c9fea..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..93fc75e14 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384bp,aes256gcm16-ecp512bp + } + } + version = 2 + proposals = aes192-sha384-ecp384bp,aes256-sha512-ecp512bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt index 78eb0ffb3..35323dab6 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt @@ -1,17 +1,16 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 +plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes des sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the Brainpool DH groups ECP_384_BP and ECP_224_BP whereas -dave proposes ECP_192_BP and ECP_256_BP. Since moon does not support +dave proposes ECP_384_BP and ECP_256_BP. Since moon does not support ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. - diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat index ff9fb202c..1c64d0f16 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat @@ -1,19 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224_BP.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf deleted file mode 100644 index be85b6c1e..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..deba223ce --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384bp,3des-sha256-ecp224bp + } + } + version = 2 + proposals = aes192-sha384-ecp384bp,3des-sha256-ecp224bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 1adedc048..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf index fde691e96..6c9cf718d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ab8fcf6a3 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384bp,aes128gcm16-ecp256bp + } + } + version = 2 + proposals = aes192-sha384-ecp384bp,aes128-sha256-ecp256bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf deleted file mode 100644 index b4cd86c60..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c12a7d4c6 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha256-ecp224bp,aes128gcm16-ecp256bp + } + } + version = 2 + proposals = 3des-sha256-ecp224bp,aes128-sha256-ecp256bp + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt index a1f31495d..773e43a35 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_256 and ECP_384 whereas dave proposes ECP_256 and ECP_521. Since moon does not support ECP_256 the roadwarriors fall back to ECP_384 and ECP_521, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat index 4cee48d89..07ad135d8 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat @@ -1,17 +1,11 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES -carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 2fd776e25..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256,aes192-sha384-ecp384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..46942c7e2 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384 + } + } + version = 2 + proposals = aes128-sha256-ecp256,aes192-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8d8989ed7..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256,aes256-sha512-ecp521! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index fde691e96..5b59e8d55 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..828c4d6c7 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521 + } + } + version = 2 + proposals = aes128-sha256-ecp256,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf deleted file mode 100644 index addcc6175..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp384,aes256-sha512-ecp521! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..18a98ad6e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521 + } + } + version = 2 + proposals = aes192-sha384-ecp384,aes256-sha512-ecp521 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt index 84b6eb4bf..c365455d0 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt @@ -1,17 +1,17 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical and X.509 +plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan -cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +cryptographical plugins aes des sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_192 and ECP_224 whereas dave proposes ECP_192 and ECP_256. Since moon does not support ECP_192 the roadwarriors fall back to ECP_224 and ECP_256, respectively.

-Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat index 818082ca8..88fe3a1e3 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat @@ -1,19 +1,12 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES -carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES -dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf deleted file mode 100644 index b754c29ba..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp192,3des-sha256-ecp224! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e21bcd3b5 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } + } + version = 2 + proposals = 3des-sha1-ecp192,3des-sha256-ecp224 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b5e9215c5..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes192-sha384-ecp192,aes128-sha256-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index fde691e96..6c9cf718d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f38c4353b --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256 + } + } + version = 2 + proposals = 3des-sha1-ecp192,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2e4a15ec3..000000000 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha256-ecp224,aes128-sha256-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5caa77eb9 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256 + } + } + version = 2 + proposals = 3des-sha256-ecp224,aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat index 1865a1c60..199873ba1 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat index e87a8ee47..dd1a17ccb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat @@ -1,11 +1,11 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt index 8c0d37c88..4f472b83b 100644 --- a/testing/tests/openssl-ikev2/critical-extension/description.txt +++ b/testing/tests/openssl-ikev2/critical-extension/description.txt @@ -1,5 +1,5 @@ A connection between the subnets behind the gateways moon and sun is set up. The authentication is based on X.509 certificates which contain a critical but -unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat index cc904c8bc..e91ba2b82 100644 --- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat @@ -1,6 +1,4 @@ moon::cat /var/log/daemon.log::sending end entity cert::YES moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES -sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES -sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der deleted file mode 100644 index 7f78d5820..000000000 Binary files a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der and /dev/null differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 4d99866f7..000000000 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm -MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ -qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 -ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR -fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN -2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 -K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 -mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc -ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f -XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy -Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx -J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj -zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 -8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT -61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo -PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug -bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b -eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 -ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am -DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt -v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 -fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw -y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC -h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 -cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY ------END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf index a72c82525..f2104c5f8 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -1,9 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown multiple_authentication = no +} +libstrongswan { x509 { enforce_critical = no } diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..4d99866f7 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm +MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ +qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 +ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR +fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN +2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 +K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 +mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc +ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f +XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy +Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx +J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj +zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 +8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT +61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo +PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug +bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b +eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 +ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am +DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt +v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 +fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw +y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC +h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 +cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0b0aa32a5 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der deleted file mode 100644 index c1efb6719..000000000 Binary files a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der and /dev/null differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem deleted file mode 100644 index d8fad9aad..000000000 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB -eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ -mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV -sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK -3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ -mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl -QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw -HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH -eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 -/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ -RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc -Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY -Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ -Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h -BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv -NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF -wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc -JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 -5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf -mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi -N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr -r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX -jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy -gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV -zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf index d67640548..77d858547 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem new file mode 100644 index 000000000..d8fad9aad --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB +eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ +mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV +sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK +3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ +mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl +QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw +HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH +eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 +/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ +RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc +Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY +Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ +Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h +BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv +NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF +wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc +JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 +5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf +mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi +N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr +r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX +jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy +gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV +zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bb068bdbe --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat index 837738fc6..83cd75a5d 100644 --- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat @@ -1,5 +1,4 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush - +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::rm /etc/swanctl/x509/moonCert.der +sun::rm /etc/swanctl/x509/sunCert.der diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat index 08ca6b54c..cc8d9d74f 100644 --- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat @@ -1,7 +1,7 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net +moon::rm /etc/swanctl/x509/moonCert.pem +sun::rm /etc/swanctl/x509/sunCert.pem +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf index b286ef6eb..d3016a886 100644 --- a/testing/tests/openssl-ikev2/critical-extension/test.conf +++ b/testing/tests/openssl-ikev2/critical-extension/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt index 4f855eb1a..3bbcdfa32 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt @@ -1,11 +1,12 @@ The hosts carol, dave, and moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions.

-The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on ECDSA signatures using Elliptic Curve certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat index 18fdacfff..a018f735d 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat @@ -1,17 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES -dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c562e359c..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c277ba4f6..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C - -CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH -7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB -71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem new file mode 100644 index 000000000..c277ba4f6 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/ecdsa/carolKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C + +CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH +7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB +71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..06c23a791 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + ecdsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..646f6e8e3 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C +Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud +EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ +aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u +Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 +cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n +c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA +7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm +q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE +gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 62a62a463..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 40a76935e..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n -2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco -AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B -Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index d94b17950..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,6 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown - signature_authentication = no + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem new file mode 100644 index 000000000..40a76935e --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/ecdsa/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n +2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco +AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B +Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f7eb029b0 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-ecp384 + } + } + version = 2 + proposals = aes256-sha384-ecp384 + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..35b3df49a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 +7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ +rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd +BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT +tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 +onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 +MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l +Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq +duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 +d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP +GnRyvRuhwRkbBIGt6l1mbA== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c5e5e61b0..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf index 4a5e52dbd..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem new file mode 100644 index 000000000..24f07b5d7 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/ecdsa/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B +qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb +Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ +7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd +lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0d99a8189 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256 + } + } + version = 2 + proposals = aes256-aes128-sha384-sha256-ecp384-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..a4962286e --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI +zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr +dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx +JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu +M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl +8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB +7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G +A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr +aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq +hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT +tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 +ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN +Vjo6NkA= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat index 1865a1c60..3d10c0f1f 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat @@ -1,6 +1,11 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::rm /etc/swanctl/ecdsa/carolKey.pem +dave::rm /etc/swanctl/ecdsa/daveKey.pem +moon::rm /etc/swanctl/ecdsa/moonKey.pem moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat index e87a8ee47..c86fdede5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/carolKey.pem +dave::rm /etc/swanctl/rsa/daveKey.pem +moon::rm /etc/swanctl/rsa/moonKey.pem +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat index 46eaccd7a..a018f735d 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat @@ -1,13 +1,13 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf deleted file mode 100644 index c562e359c..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index d043dfd6d..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiROOtxlAFj6QICCAAw -HQYJYIZIAWUDBAECBBBD9qsqx1EbF8RiH8mOSf9iBIGQ3URjA/8q9stwEZNsEtS5 -/EzlxReZu+hSmH4+PlOXegP8bSpVtSC+wgTierfXNKDOV4Bs+OY3F/l0D0NYYiaj -u041/vF1NuO38Fu5rwMZJcCZhlLXVuQVBqyQ5I+52RxTjoEluIQ5MvJOcMap/mc+ -saMMOFLlCeiseIuAWOjcpFzoOWUgXRcABCXJItj+6RgK ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf index a2b5acb79..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem new file mode 100644 index 000000000..d043dfd6d --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/pkcs8/carolKey.pem @@ -0,0 +1,7 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiROOtxlAFj6QICCAAw +HQYJYIZIAWUDBAECBBBD9qsqx1EbF8RiH8mOSf9iBIGQ3URjA/8q9stwEZNsEtS5 +/EzlxReZu+hSmH4+PlOXegP8bSpVtSC+wgTierfXNKDOV4Bs+OY3F/l0D0NYYiaj +u041/vF1NuO38Fu5rwMZJcCZhlLXVuQVBqyQ5I+52RxTjoEluIQ5MvJOcMap/mc+ +saMMOFLlCeiseIuAWOjcpFzoOWUgXRcABCXJItj+6RgK +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..048f3bbf9 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm16-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + pkcs8-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..646f6e8e3 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C +Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud +EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ +aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u +Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 +cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n +c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA +7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm +q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE +gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 62a62a463..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index c32137ef9..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIfDUTNLH0pIECAggA -MB0GCWCGSAFlAwQBFgQQJkz6Ue4pqL1cy6jxNoXBMQSBwMn8dxyRJjcjbPvy6v7r -Zdn7Nb69xYhkH2n+8DY8vfutsh9g84HbzzBLhpl1MJZXq8xwxS1AQUYNJqoIrd9s -4j8IkGZX935I2FBABzN4JEdY2h1zX3VJxU0XgDLEPYYJUUY0PTQ+5P1ooYyDg73t -lAUw2eKPl9sgdX2f+5gTLVJZMFkWJsCFkCHFRdLaFdsaXcoB8TI0UWYSK1yJD+6K -XbCMqK/jV/jckXtwCMIG8/DSxnObFu2PEUGjzMSAVUvCWQ== ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 56f6e6365..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd" diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf index a2b5acb79..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem new file mode 100644 index 000000000..c32137ef9 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/pkcs8/daveKey.pem @@ -0,0 +1,8 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIfDUTNLH0pIECAggA +MB0GCWCGSAFlAwQBFgQQJkz6Ue4pqL1cy6jxNoXBMQSBwMn8dxyRJjcjbPvy6v7r +Zdn7Nb69xYhkH2n+8DY8vfutsh9g84HbzzBLhpl1MJZXq8xwxS1AQUYNJqoIrd9s +4j8IkGZX935I2FBABzN4JEdY2h1zX3VJxU0XgDLEPYYJUUY0PTQ+5P1ooYyDg73t +lAUw2eKPl9sgdX2f+5gTLVJZMFkWJsCFkCHFRdLaFdsaXcoB8TI0UWYSK1yJD+6K +XbCMqK/jV/jckXtwCMIG8/DSxnObFu2PEUGjzMSAVUvCWQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..8557928c2 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-ecp384 + } + } + version = 2 + proposals = aes256-sha384-ecp384 + } +} + + +secrets { + + pkcs8-dave { + file = daveKey.pem + secret = "OJlNZBx+80dLh4wC6fw5LmBd" + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..35b3df49a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 +7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ +rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd +BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT +tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 +onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 +MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l +Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq +duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 +d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP +GnRyvRuhwRkbBIGt6l1mbA== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf deleted file mode 100644 index c5e5e61b0..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128gcm16! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf index a2b5acb79..a322670f4 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem new file mode 100644 index 000000000..24f07b5d7 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/ecdsa/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B +qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb +Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ +7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd +lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0d99a8189 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm16-aes128gcm16-ecp384-ecp256 + } + } + version = 2 + proposals = aes256-aes128-sha384-sha256-ecp384-ecp256 + } +} diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..a4962286e --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS +b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB +IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI +zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr +dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx +JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu +M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl +8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB +7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G +A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr +aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq +hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT +tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 +ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN +Vjo6NkA= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..a1a86a222 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI +MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE +AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG +AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE +J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb +TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd +uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E +J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd +YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA +ihgk0RArH39otlUFPSbSE9bicCDy +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat index 1865a1c60..ff2860e45 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat @@ -1,6 +1,11 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +carol::rm /etc/swanctl/pkcs8/carolKey.pem +dave::rm /etc/swanctl/pkcs8/daveKey.pem +moon::rm /etc/swanctl/ecdsa/moonKey.pem moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat index e87a8ee47..c86fdede5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat @@ -1,11 +1,14 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start +carol::rm /etc/swanctl/rsa/carolKey.pem +dave::rm /etc/swanctl/rsa/daveKey.pem +moon::rm /etc/swanctl/rsa/moonKey.pem +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt deleted file mode 100644 index bd680b57a..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on OpenPGP V3 keys. Upon the successful -establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client alice behind gateway moon -pings client bob located behind gateway sun. diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat deleted file mode 100644 index 468c5f7ee..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun ::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun .*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES -moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf deleted file mode 100644 index fcb9d839f..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.asc - leftid=@#71270432cd763a18020ac988c0e75aed - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightcert=sunCert.asc - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index 135cfaec0..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/613A3B61 2005/08/07 moon - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB -vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 -f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac -t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP -=oaBj ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 32f204b10..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/79949ADD 2005/08/07 sun - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR -A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj -0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn -lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== -=lLvB ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc deleted file mode 100644 index 6524773e0..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc +++ /dev/null @@ -1,19 +0,0 @@ -Type Bits/KeyID Date User ID -sec 1024/613A3B61 2005/08/07 moon - ------BEGIN PGP SECRET KEY BLOCK----- -Version: 2.6.3i - -lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd -JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9 -FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6 -7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3 -0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN -8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7 -QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v -biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4= -=YFQm ------END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index afb1ff927..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf deleted file mode 100644 index aea93d234..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown -} - diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 91d6ef5d8..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftcert=sunCert.asc - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightcert=moonCert.asc - rightid=@#71270432cd763a18020ac988c0e75aed - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index 135cfaec0..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/613A3B61 2005/08/07 moon - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB -vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 -f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac -t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP -=oaBj ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 32f204b10..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/79949ADD 2005/08/07 sun - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR -A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj -0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn -lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== -=lLvB ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc deleted file mode 100644 index de2393649..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc +++ /dev/null @@ -1,19 +0,0 @@ -Type Bits/KeyID Date User ID -sec 1024/79949ADD 2005/08/07 sun - ------BEGIN PGP SECRET KEY BLOCK----- -Version: 2.6.3i - -lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI -Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1 -GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg -vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2 -LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn -2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs -xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu -IDxzdW4uc3Ryb25nc3dhbi5vcmc+ -=DwEu ------END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index ee98b1611..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA sunKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf deleted file mode 100644 index aea93d234..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown -} - diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat deleted file mode 100644 index 9a9513dc3..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -sun::rm /etc/ipsec.d/certs/* -sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat deleted file mode 100644 index 969c42337..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf deleted file mode 100644 index afa2accbe..000000000 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt index e66ea1918..1d40e30f0 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt @@ -2,7 +2,7 @@ A connection between the subnets behind the gateways moon and sun The authentication is based on X.509 certificates and an RSA private key stored in PKCS12 format.

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat index fe4aa5ab1..bfc7e76f1 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat @@ -1,7 +1,5 @@ -moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 195710a7f..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 deleted file mode 100644 index 365da741f..000000000 Binary files a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 and /dev/null differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 802cfc681..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ" diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf index 2448837f3..a8ed13448 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown + load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 new file mode 100644 index 000000000..365da741f Binary files /dev/null and b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b11cf0f3e --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-moon { + file = moonCert.p12 + secret = "kUqd8O7mzbjXNJKQ" + } +} diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf deleted file mode 100644 index 292fbeeb6..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-modp3072! - esp=aes128gcm16! - mobike=no - -conn net-net - left=PH_IP_SUN - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 deleted file mode 100644 index e2cd2f21d..000000000 Binary files a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 and /dev/null differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index 3dc85528c..000000000 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: P12 sunCert.p12 "IxjQVCF3JGI+MoPi" - - - - - diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf index 2448837f3..a8ed13448 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem nonce revocation openssl curl stroke kernel-netlink socket-default updown + load = pem nonce revocation openssl curl vici kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 new file mode 100644 index 000000000..e2cd2f21d Binary files /dev/null and b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 differ diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..28c0e87a4 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + pkcs12-sun { + file = sunCert.p12 + secret = "IxjQVCF3JGI+MoPi" + } +} diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat index 0fbba487c..9802f442d 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop -sun::ipsec stop +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/private/moonCert.p12 -sun::rm /etc/ipsec.d/private/sunCert.p12 +moon::rm /etc/swanctl/pkcs12/moonCert.p12 +sun::rm /etc/swanctl/pkcs12/sunCert.p12 diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat index 47e6d8604..22ffcf949 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat @@ -1,11 +1,9 @@ -moon::rm /etc/ipsec.d/private/moonKey.pem -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -sun::rm /etc/ipsec.d/private/sunKey.pem -sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem +moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem +sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start -sun::ipsec start -moon::expect-connection net-net -sun::expect-connection net-net -moon::ipsec up net-net +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf index 646b8b3e6..87abc763b 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt index b16faad06..ca738a1d4 100644 --- a/testing/tests/openssl-ikev2/rw-cert/description.txt +++ b/testing/tests/openssl-ikev2/rw-cert/description.txt @@ -1,11 +1,12 @@ The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp and x509. -

-The roadwarriors carol and dave set up a connection each +plugins aes des sha1 sha2 hmac gmp and x509. +

+The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. -Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat index be78c5125..572a138a6 100644 --- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat @@ -1,15 +1,10 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 213cd70fa..000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=3des-sha1-modp1536! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 8197ea8b1..996be95f5 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown + load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e8504addb --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = 3des-sha1-modp2048 + } + } + version = 2 + proposals = 3des-sha1-modp2048 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 653316fde..000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 058abcad7..f2b8046e0 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..27c6f12ba --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 16299b339..000000000 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048,3des-sha1-modp1536! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 8197ea8b1..996be95f5 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown + load = test-vectors pem pkcs1 openssl curl revocation nonce xcbc cmac ctr ccm vici kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..aa8d6167a --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072,3des-sha1-modp2048 + } + } + version = 2 + proposals = aes128-sha256-modp3072,3des-sha1-modp2048 + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat index 1865a1c60..b909ac76c 100644 --- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat @@ -1,6 +1,8 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat index 974c22530..61fc17ba2 100644 --- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat @@ -1,12 +1,11 @@ -moon::iptables-restore < /etc/iptables.rules +mmoon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -# moon runs crypto tests, so make sure it is ready +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl moon::expect-connection rw carol::expect-connection home -carol::ipsec up home +carol::swanctl --initiate --child home 2> /dev/null dave::expect-connection home -dave::ipsec up home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf index f29298850..1227b9d1c 100644 --- a/testing/tests/openssl-ikev2/rw-cert/test.conf +++ b/testing/tests/openssl-ikev2/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt deleted file mode 100644 index e25da6935..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior carol sets up a connection to gateway moon. -The strong mutual authentication of both peers is based on EAP-TLS only -(without a separate IKEv2 authentication), using TLS client and server certificates, -respectively. Elliptic curve cryptography is used by both the IKE and TLS -protocols. diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat deleted file mode 100644 index 5b525ef06..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES -moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES -carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES -carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf deleted file mode 100644 index f3d7a807c..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128-sha256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org" - rightauth=any - rightsubnet=10.1.0.0/16 - rightsendcert=never - auto=add diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c277ba4f6..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,E62D0EE78FCCAD3B03EA4F93FEFD057C - -CppPKxfVWWaXK3iuFa27YOe/0lWsvzhYKShyq9XanpjuCkcmxKD97eAH1TKokasH -7ffgnKzbLloxJN6g0GMTPpfiRndeK36DyTwktkyt+h+LU1xooSmNnsaM41P0GaPB -71Y87B5E5DCmWQO0icQKbQPj66GNwxBh9S6a8OaxnkU= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf deleted file mode 100644 index f5b116b3b..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 2236a5f71..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128-sha256-ecp256! - esp=aes128-sha256! - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftauth=eap-tls - leftfirewall=yes - rightauth=eap-tls - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a4962286e..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMTCCApOgAwIBAgIBDjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMDQ0M1oXDTIzMDYxMTEyMDQ0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDUyMSBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwgZswEAYHKoZI -zj0CAQYFK4EEACMDgYYABADF8xmbPu/a05BVtNnZflimozXZgYi+Md7hKREzL7qr -dvtRwbyvki3XNo7zzc1HF/FcYyLJ7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcx -JTF74PtzYGKaMWCP+YN52u3tGaOdlvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPu -M2HRBKOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRl -8cuEZmUGoBIWQeXSYzWq/7ou4jB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB -7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB4G -A1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr -aHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAKBggq -hkjOPQQDAgOBiwAwgYcCQgDtARCWbIy+tdsD9EYw/oTxfrnsWP0fw1/3UKXjSAlT -tZfJfE743Y7Zl2vqmRIeohQBYY09reTOFnUfYx/jONsTUQJBSB7w+z/CcTCQGIV8 -ISaaeAskxcg/+h87ha+5ZOkHoJDeJTqaatHu3dVx8OepEiQS0TSB9FNxj9g/9bYN -Vjo6NkA= ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 24f07b5d7..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIAtiNgtSnZ9gKIXkKvb8f1J+ubRkBssvOaHYjv7RMvVOqw5kQGb11B -qXHVf2Qt25/1DccijDu27YQJQLVTY0k5elSgBwYFK4EEACOhgYkDgYYABADF8xmb -Pu/a05BVtNnZflimozXZgYi+Md7hKREzL7qrdvtRwbyvki3XNo7zzc1HF/FcYyLJ -7U1j71G6QVSN7mRHBgAspFYE1LpjBlrObWcxJTF74PtzYGKaMWCP+YN52u3tGaOd -lvrDiJVi8i/GAuGjIG2tYQVJZQzqUgHHSWPuM2HRBA== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4aa2068f4..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = pem pkcs1 random nonce openssl curl revocation stroke kernel-netlink socket-default eap-tls updown - multiple_authentication=no - syslog { - daemon { - tls = 2 - } - } -} - -libtls { - suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -} diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat deleted file mode 100644 index 046d4cfdc..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat deleted file mode 100644 index 1578796a1..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -moon::expect-connection rw-eap -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf deleted file mode 100644 index 4a5fc470f..000000000 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt deleted file mode 100644 index 26e42c4b7..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The roadwarrior dave tries to set up a connection to roadwarrior carol -but because carol has set the strongswan.conf option initiator_only = yes -she ignores the repeated IKE requests sent by dave. -

-After the failed connection attempt by dave, roadwarrior carol sets up a -connection to gateway moon. The authentication is based on Suite B with 128 bit -security based on X.509 ECDSA certificates, ECP Diffie-Hellman groups and AES-GCM -authenticated encryption. -

-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of -an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall, -carol pings the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat deleted file mode 100644 index b00c4cd40..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 61e13df41..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 646f6e8e3..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC8TCCAlKgAwIBAgIBEDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTEyMVoXDTIzMDYxMTEyMTEyMVowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE3WHJOZfpI6KZX6zlKRtCvY0VwHW/K8SWjDCuoq+C -Vb7NnQ0Lpfb22Cihwjf0/ne78AcYGapZdt8/tdxlpQm+9qOCARQwggEQMAkGA1Ud -EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSpGHTyNt5Tfshldm2Oz0MlnHZ+ -aTB4BgNVHSMEcTBvgBS6XflxthO1atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9u -Z1N3YW4gRUMgUm9vdCBDQYIJAPaidX4i76aJMB8GA1UdEQQYMBaBFGNhcm9sQHN0 -cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25n -c3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIA -7r9urYVPXwOUBU120HDb/0Z+ezMm8vFtGsrJPME9JdW7bdkb1IpWpSobn3Ua94Gm -q7PtKPYbOoF6m4aAIhouWkwCQgChGMvdnRhLQiItMGybWY5mLOYemM9U3CjNLRSE -gDIPWr67i05MwdofcT2hYPSFHAyeI7OfJikHrAfDcTok6kPA3A== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index c8c12c3b7..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAgyh91hjqzCuAICCAAw -HQYJYIZIAWUDBAECBBBZwepsRENncvW5UJ/blAqmBIGQZdbHnD3PWEbUXZJPkbIK -VvJZkd2+k12IxdShMWwCeW93R+3nj+7T0NPAQqMbuqz51zgO+SuXDupUIKdLHKMy -vdasLrbA3fe7YFVlxQjB6fB69V059ifi61OCIO/KfC7Je4ff3TZVwJcUYpduPIkQ -BZAw46T0JtrXltFgxxGYnnTlzuYW6EDB3l6Fwb2zCyZm ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 22fcb3eb5..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn peer - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_CAROL - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 0f6315794..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC7TCCAlCgAwIBAgIBEjAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMzUyNFoXDTIzMDYxMTEyMzUyNFowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATRc+i666sxHVohZ/4ld8ffz2xoa+x9+7TzM689nczQ -oZMs3+AJIjjNzdjvEe6kPHW73p51IdtlVF97Ib62hgQuo4IBEzCCAQ8wCQYDVR0T -BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDA3QkktCD5ZvWeiepNeQPWpcKP8 -MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYETZGF2ZUBzdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GKADCBhgJBOrfM -xT0Cn1uXVvuS977ANQZwzAX4O9y5POFXBkDKLFPL9hgWg7jxhREkDRcvViovMmiM -EAjoEZLD8SysfYrRZxcCQXtgWTfS2GAIDSQS1of1so/8Z/xZdfoIWxRoZ/xmH7jY -Yt3wK6yGjziEbX9LGN4MkOwkJKjEkTwbTygv7Wt3arz/ ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index a4041c5fa..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICEAikut4YuFnv6vLE/7Lk+LmQ+ic35apftbhu2+TICQoAoGCCqGSM49 -AwEHoUQDQgAE0XPouuurMR1aIWf+JXfH389saGvsffu08zOvPZ3M0KGTLN/gCSI4 -zc3Y7xHupDx1u96edSHbZVRfeyG+toYELg== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f7044e51d..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index 961c8bec8..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC7jCCAlCgAwIBAgIBEzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzE0MzEzMVoXDTIzMDYxMTE0MzEzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATCqc/Wov++N8wvG3IhsEAxa38bxoIBPQZeOqMyi/lV -breEsOSJD/POV3gkt1lKOaQ502XdJcjdAvCqjtbpzCMWo4IBEzCCAQ8wCQYDVR0T -BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFAtkayAwMYDQqnlKDRvm7HNCIxY8 -MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG -EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n -U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYDVR0RBBcwFYITbW9vbi5zdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMCA4GLADCBhwJBVnfl -l9eV6R+jNdUCuz+yDdM7c1UpQ+Qy7rtXq50KZY7d1xJsTk152LxXIkO8EJnHmO4l -s39RHlGXItWcYGffXIICQgCLB+R8QFnMcKlgpjrxsuO/Ljg1RcMav3y3zaHJJJLT -eJBEL7RhDaPGcJ/hKU4TPwvSEIkswQaDnN+oAZiz/gFDUw== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index c0a8c852b..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIG7fewqQ4RTIWsck4m9ftByXOl4X0va0RtYqdbiF9CAHoAoGCCqGSM49 -AwEHoUQDQgAEwqnP1qL/vjfMLxtyIbBAMWt/G8aCAT0GXjqjMov5VW63hLDkiQ/z -zld4JLdZSjmkOdNl3SXI3QLwqo7W6cwjFg== ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules deleted file mode 100644 index cc12d1659..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf deleted file mode 100644 index feb5d79a6..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat deleted file mode 100644 index 290f57e69..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -dave::expect-connection peer -dave::ipsec up peer -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt deleted file mode 100644 index b8cb4fb8b..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The roadwarrior dave tries to set up a connection to roadwarrior carol -but because carol has set the strongswan.conf option initiator_only = yes -she ignores the repeated IKE requests sent by dave. -

-After the failed connection attempt by dave, roadwarrior carol sets up a -connection to gateway moon. The authentication is based on Suite B with 192 bit -security based on X.509 ECDSA certificates, ECP Diffie-Hellman groups and AES-GCM -authenticated encryption. -

-Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of -an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall, -carol pings the client alice behind the gateway moon. diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat deleted file mode 100644 index 3de5c94e0..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 14146ef01..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm128-prfsha384-ecp384! - esp=aes256gcm128-ecp384! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index f3f4c6671..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDjCCAm+gAwIBAgIBETAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMzQzMloXDTIzMDYxMTEyMzQzMlowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI -zj0CAQYFK4EEACIDYgAExm8lmoXGUfLL8xzhhQFmadz7SjPdubASbH9m+t7h30OV -yo+NPmtve7uqrWzttyWfqR7tFSOLtP5joj8U9E580ilT/2MsjVQJpKOFpYaggPUK -f+fhRwfQMUunyyAoIRSbo4IBFDCCARAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gw -HQYDVR0OBBYEFCQeIdu6skXTNWUg5w1Eb9HR1dU2MHgGA1UdIwRxMG+AFLpd+XG2 -E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu -dXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA -9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwPAYDVR0f -BDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2Fu -X2VjLmNybDAKBggqhkjOPQQDAgOBjAAwgYgCQgGptTrYfjcWM+P66K5W+sq1d4X6 -E0+I2lXRKRiku2vPjpTQZJim4k4pAJNC19R2CCJMBgqab1ROUUsHMMHBNcyR/gJC -AN6S1J68o3UTQwAyN/zXW4ur8cxsPKV9uZYoz7O6Snz+eTliz/g8NPtfLYUseCii -VoXhdWwKkiRd8Cjck+RJHVWh ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index 713942d7f..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIBDjBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI1OV1cAp5SZcCAggA -MB0GCWCGSAFlAwQBFgQQ1SGtVnno2vKhkF+iPT6vygSBwFZQrciZs2FN8cDI0x9c -3OFxbaRawXnagMlpYq/To268rDFtcKGBN7JxwBaFGJw4NFrU/sOu2NkhLuA/Jbaz -w75aQ/MjTeOtwy2PS62J/+T1zqCdfpfCJYeYCc2CPd3E21FbsW0Mmfw1b8vZ2YeS -lsd9jvY/bob4tH68J1ZqErOLaCU0EXPgqlZiLhcDIwfZJDqrZ5xFHk3mcjB6Pc4O -TWwJN+elQoxd29HSASw9plO2p1DRDpSZPTU67UDXDOWfJA== ------END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 4e53ef91a..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf deleted file mode 100644 index b81e9b277..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256gcm128-prfsha384-ecp384! - esp=aes256gcm128-ecp384! - -conn peer - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_CAROL - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index 35b3df49a..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDDCCAm2gAwIBAgIBDzAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzEyMTAzMVoXDTIzMDYxMTEyMTAzMVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0ocoAfYUe/8KzxU5 -7Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3BQu8lofvwQQxQ -rWnu3qzwqEfwb0iB2WyjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUDCdvv80iOq2pGsjrnNiQFP2RjnsweAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYwAMIGIAkIBMxGGwujqlwf+JFNXW/sbxZmynwzq -duPikzCw0wIq+YhFYJVi2YWDz0Ikfn4WUvoiUIC/uSBAJAw/3E3SHO5I4Y8CQgF2 -d6Ct2ocQwMcz5O00i3BsuOjiHvL3VB3GGG8rfIXAqwUAy4jXQo0bMh2yD+5WwKmP -GnRyvRuhwRkbBIGt6l1mbA== ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 40a76935e..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDBz89+bQmsMHvfaCsI0N1bInZ+oxA9JZHZrAAkHGHaWFUQZFXBMB88n -2+6S2JvUbcygBwYFK4EEACKhZANiAAQiPVu1BMrRbeXe2c7zSzBl1UeJfNeM0oco -AfYUe/8KzxU57Gapbm2Gztkm/2V4Zb7PvK3LOKIrUnxNdE0nVvsdIZKSi/BZEm3B -Qu8lofvwQQxQrWnu3qzwqEfwb0iB2Ww= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf deleted file mode 100644 index d117a3001..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - initiator_only = yes - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf deleted file mode 100644 index f37dae945..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes256gcm128-prfsha384-ecp384! - esp=aes256gcm128-ecp384! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index a1a86a222..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICUTCCAbKgAwIBAgIJAPaidX4i76aJMAoGCCqGSM49BAMEMEgxCzAJBgNVBAYT -AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT -d2FuIEVDIFJvb3QgQ0EwHhcNMTMwNjEzMDAwMDAwWhcNMjMwNjEzMDAwMDAwWjBI -MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UE -AxMVc3Ryb25nU3dhbiBFQyBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG -AAQBFMdTb4zSs2wx2kTzLKiH/+km1KcwWu/Df1iMheq2I/HuTHAKn0381HxSWWKE -J/5mz91X4zsUbjA465X73YDMcJMBQ4oFkHx4NwiW0u3kI4ztTK8cSCVLX0k5xdvb -TIeiGDHcWmSpaAhgjq6ZhghncQ9vysKF9UgNwZZ42jbe5Ek6J5KjQjBAMA8GA1Ud -EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS6XflxthO1atHd -uja3qtLB7o/Y0jAKBggqhkjOPQQDBAOBjAAwgYgCQgGC5TVO0Yy05OIO9GwQ1X7E -J08tyxmzQnCPfXKEEUOD+DDnSCcK0aCrGAIZCTmLR7euOCZ8gkPurJbML5RAjJjd -YQJCAL9qmPe6hWCEEOiOgCsy50nr5Qwo+FfS05ZItrUGVUQZES9BtmpkhjZlAOrA -ihgk0RArH39otlUFPSbSE9bicCDy ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a71ffdca1..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDCzCCAm2gAwIBAgIBFDAKBggqhkjOPQQDAjBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTE4MDYxMzE0MzE1MVoXDTIzMDYxMTE0MzE1MVowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO -PQIBBgUrgQQAIgNiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q4+MyOBab2jzM -AVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSBwyYzL9+Nhnam -F6qMSaPBnIE2CK2hgqGjggETMIIBDzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAd -BgNVHQ4EFgQUT4FEmRbCvjxKsXqruiQgzC50pj0weAYDVR0jBHEwb4AUul35cbYT -tWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 -eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2 -onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1 -MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l -Yy5jcmwwCgYIKoZIzj0EAwIDgYsAMIGHAkIAhHCvrcHfCJbPcNDdyT4x3F3V2wq7 -96TzcVzlLJ+zSxr3Xo3eqOZaxAlnnoI4aQIukZ0RXzSCebDrOL9+k+5uRakCQU9k -W5MphqYKOys+lQmpKBEnzZlM1QvFfUUiXwoxN8Ilc9c0nSVXKl9m/uPgP7GZjvaE -J4juvRKmi2nMoxWIJtMt ------END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index ba7520f6c..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDDuG7KDU5nek/TFvZQIxg89wevYYa1/EDyQHLFanmbK1DTx07Wv9D/b -BL5sHWEPNMGgBwYFK4EEACKhZANiAAQBXgnLJrtT2zS6BEj4WBRskabmIw8TVo3Q -4+MyOBab2jzMAVE44VFjo/ihd1YCeTs8KyZY+w8XPnCqm+z+Z9NeU2tN5wLlVYSB -wyYzL9+NhnamF6qMSaPBnIE2CK2hgqE= ------END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules deleted file mode 100644 index cc12d1659..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf deleted file mode 100644 index feb5d79a6..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - - integrity_test = yes - - crypto_test { - required = yes - on_add = yes - } - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat deleted file mode 100644 index 290f57e69..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -dave::expect-connection peer -dave::ipsec up peer -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat index 6e427b265..a067f6ded 100644 --- a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat @@ -2,8 +2,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat index 63c8b6414..c483dec2b 100644 --- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat +++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org.*: icmp_seq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat index de62af271..1cc8d8240 100755 --- a/testing/tests/swanctl/config-payload/evaltest.dat +++ b/testing/tests/swanctl/config-payload/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf deleted file mode 100644 index 0340d5669..000000000 --- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf +++ /dev/null @@ -1,9 +0,0 @@ -subnet 10.1.0.0 netmask 255.255.0.0 { - option routers 10.1.0.1; - option broadcast-address 10.1.255.255; - option domain-name servers PH_IP_WINNETOU PH_IP_VENUS - option netbios-name-servers PH_IP_VENUS; - - # dynamic address pool for visitors - range 10.1.0.30 10.1.0.50; -} diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/swanctl/frags-ipv6/evaltest.dat index f7af441a4..61c94618b 100755 --- a/testing/tests/swanctl/frags-ipv6/evaltest.dat +++ b/testing/tests/swanctl/frags-ipv6/evaltest.dat @@ -11,8 +11,8 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES -alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES -alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES +alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org.*: icmp_seq=1::YES +alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org.*: icmp_seq=1::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-cert/description.txt b/testing/tests/swanctl/host2host-cert/description.txt new file mode 100755 index 000000000..8f7e6e9f4 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/description.txt @@ -0,0 +1,6 @@ +A connection between the hosts moon and sun is successfully set up. +The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/swanctl/host2host-cert/evaltest.dat b/testing/tests/swanctl/host2host-cert/evaltest.dat new file mode 100755 index 000000000..29cd8bfbd --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/evaltest.dat @@ -0,0 +1,6 @@ + +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..42176e76d --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..eeaaeab1d --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,30 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-cert/posttest.dat b/testing/tests/swanctl/host2host-cert/posttest.dat new file mode 100755 index 000000000..3d7248cc8 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/host2host-cert/pretest.dat b/testing/tests/swanctl/host2host-cert/pretest.dat new file mode 100755 index 000000000..b42dce654 --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection host-host +sun::expect-connection host-hhost +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/swanctl/host2host-cert/test.conf b/testing/tests/swanctl/host2host-cert/test.conf new file mode 100755 index 000000000..52d886dcc --- /dev/null +++ b/testing/tests/swanctl/host2host-cert/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/host2host-transport/description.txt b/testing/tests/swanctl/host2host-transport/description.txt new file mode 100755 index 000000000..bc5a1299b --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/description.txt @@ -0,0 +1,6 @@ +An IPsec transport-mode connection between the hosts moon and sun +is successfully set up. The authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec connection, the updown script automatically +inserts iptables-based firewall rules that let pass the protected traffic. +In order to test the host-to-host tunnel moon pings sun. diff --git a/testing/tests/swanctl/host2host-transport/evaltest.dat b/testing/tests/swanctl/host2host-transport/evaltest.dat new file mode 100755 index 000000000..8b103d087 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/evaltest.dat @@ -0,0 +1,6 @@ + +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c1e33eca3 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0e94678e4 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,31 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + mode = transport + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/host2host-transport/posttest.dat b/testing/tests/swanctl/host2host-transport/posttest.dat new file mode 100755 index 000000000..3d7248cc8 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/host2host-transport/pretest.dat b/testing/tests/swanctl/host2host-transport/pretest.dat new file mode 100755 index 000000000..b42dce654 --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection host-host +sun::expect-connection host-hhost +moon::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/swanctl/host2host-transport/test.conf b/testing/tests/swanctl/host2host-transport/test.conf new file mode 100755 index 000000000..52d886dcc --- /dev/null +++ b/testing/tests/swanctl/host2host-transport/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat index 130a0b918..5133e426f 100755 --- a/testing/tests/swanctl/ip-pool-db/evaltest.dat +++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat index 51ac523b8..36ab6c119 100755 --- a/testing/tests/swanctl/ip-pool/evaltest.dat +++ b/testing/tests/swanctl/ip-pool/evaltest.dat @@ -1,7 +1,7 @@ -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES diff --git a/testing/tests/swanctl/ip-two-pools-db/description.txt b/testing/tests/swanctl/ip-two-pools-db/description.txt new file mode 100755 index 000000000..4bad7b1b7 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/description.txt @@ -0,0 +1,14 @@ +The hosts alice, venus, carol, and dave set up tunnel connections +to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP +from gateway moon which assigns virtual IP addresses from a pool named extpool +[10.3.0.1..10.3.1.244] to hosts connecting to the eth0 (PH_IP_MOON) interface and virtual +IP addresses from a pool named intpool [10.4.0.1..10.4.1.244] to hosts connecting to +the eth1 (PH_IP_MOON1) interface. +Thus carol and dave are assigned PH_IP_CAROL1 and PH_IP_DAVE1, +respectively, whereas alice and venus get 10.4.0.1 and 10.4.0.2, +respectively. +

+By defining the composite traffic selector 10.3.0.0/16,10.4.0.0/16, each of the four +spokes can securely reach any other spoke via the central hub moon. This is +demonstrated by alice and dave pinging the assigned virtual IP addresses +of carol and venus. diff --git a/testing/tests/swanctl/ip-two-pools-db/evaltest.dat b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat new file mode 100755 index 000000000..16dc23669 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/evaltest.dat @@ -0,0 +1,35 @@ +moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES +moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES +venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES +alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES +dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_.eq=1::YES +alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES +dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +venus:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.2/32] remote-ts=\[10.3.0.0/16 10.4.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*ext.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::ext.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*ext.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-sas --ike-id 3 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*int.*reqid=3 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::int.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.20 remote-port=4500 remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.2] child-sas.*int.*reqid=4 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.0/16 10.4.0.0/16] remote-ts=\[10.4.0.2/32]::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +venus::tcpdump::IP moon1.strongswan.org > venus.strongswan.org: ESP::YES +venus::tcpdump::IP venus.strongswan.org > moon1.strongswan.org: ESP::YES + diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7dfef4e38 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 10.1.0.10 + remote_addrs = 10.1.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..fca6efb2e --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1f0b361ec --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..a0ed9f0e6 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/iptables.rules @@ -0,0 +1,43 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT + +*nat + +# masquerade crl fetches to winnetou +-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + +COMMIT diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..fba531a52 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici + + plugins { + attr-sql { + database = sqlite:///etc/db.d/ipsec.db + } + } +} + +pool { + load = sqlite + database = sqlite:///etc/db.d/ipsec.db +} \ No newline at end of file diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d719d7aad --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,48 @@ +connections { + + ext { + local_addrs = 192.168.0.1 + pools = extpool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + ext { + local_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + int { + local_addrs = 10.1.0.1 + pools = intpool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + int { + local_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf new file mode 100755 index 000000000..f021e9c96 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve +} diff --git a/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..906b7bdea --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 10.1.0.20 + remote_addrs = 10.1.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.3.0.0/16,10.4.0.0/16 + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools-db/posttest.dat b/testing/tests/swanctl/ip-two-pools-db/posttest.dat new file mode 100755 index 000000000..cbb2c2498 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/posttest.dat @@ -0,0 +1,18 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +moon::ip route del 10.3.0.0/16 via PH_IP_MOON +moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 +moon::ipsec pool --del extpool 2> /dev/null +moon::ipsec pool --del intpool 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null + diff --git a/testing/tests/swanctl/ip-two-pools-db/pretest.dat b/testing/tests/swanctl/ip-two-pools-db/pretest.dat new file mode 100755 index 000000000..7229eee7c --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/pretest.dat @@ -0,0 +1,30 @@ +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null +moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null +moon::ipsec pool --statusattr 2> /dev/null +moon::ip route add 10.3.0.0/16 via PH_IP_MOON +moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl +moon::expect-connection int +moon::expect-connection ext +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null +alice::expect-connection home +alice::swanctl --initiate --child home 2> /dev/null +venus::expect-connection home +venus::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-two-pools-db/test.conf b/testing/tests/swanctl/ip-two-pools-db/test.conf new file mode 100755 index 000000000..9394e0289 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools-db/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice venus carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/ip-two-pools/description.txt b/testing/tests/swanctl/ip-two-pools/description.txt new file mode 100755 index 000000000..df9f54a66 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/description.txt @@ -0,0 +1,9 @@ +The hosts alice and carol set up a tunnel connection each to gateway moon. +Both hosts request a virtual IP via the IKEv2 configuration payload. +Gateway moon assigns virtual IP addresses from pool1 with an address range of +10.3.0.0/28 to hosts connecting to the eth0 (192.168.0.1) interface and +virtual IP addresses from pool2 with an address range of 10.4.0.0/28 to hosts +connecting to the eth1 (10.1.0.1) interface. +

+Thus carol is assigned PH_IP_CAROL1 whereas alice gets 10.4.0.1 and +both ping the gateway moon. diff --git a/testing/tests/swanctl/ip-two-pools/evaltest.dat b/testing/tests/swanctl/ip-two-pools/evaltest.dat new file mode 100755 index 000000000..cb3b60f4d --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/evaltest.dat @@ -0,0 +1,18 @@ +moon:: swanctl --list-pools --raw --name pool1 2> /dev/null::pool1.*base=10.3.0.0 size=14 online=1 offline=0::YES +moon:: swanctl --list-pools --raw --name pool2 2> /dev/null::pool2.*base=10.4.0.0 size=14 online=1 offline=0::YES +moon:: swanctl --list-pools --raw --name pool1 --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --name pool2 --leases 2> /dev/null::address=10.4.0.1 identity=alice@strongswan.org status=online::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.4.0.1 to peer.*alice@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[192.168.0.1/32]::YES +alice:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=10.1.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.4.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.4.0.1/32] remote-ts=\[10.1.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*rw1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw2.*version=2 state=ESTABLISHED local-host=10.1.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=10.1.0.10 remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.4.0.1] child-sas.*rw2.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.1/32] remote-ts=\[10.4.0.1/32]::YES +carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES +alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..509fe678f --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 10.1.0.10 + remote_addrs = 10.1.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..60b216e62 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..a0ed9f0e6 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/iptables.rules @@ -0,0 +1,43 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT + +*nat + +# masquerade crl fetches to winnetou +-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + +COMMIT diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..cf4e54024 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,55 @@ +connections { + + rw1 { + local_addrs = 192.168.0.1 + pools = pool1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw1 { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } + + rw2 { + local_addrs = 10.1.0.1 + pools = pool2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + rw2 { + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + pool1 { + addrs = 10.3.0.0/28 + } + pool2 { + addrs = 10.4.0.0/28 + } +} diff --git a/testing/tests/swanctl/ip-two-pools/posttest.dat b/testing/tests/swanctl/ip-two-pools/posttest.dat new file mode 100755 index 000000000..0cfeeb120 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +alice::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/ip-two-pools/pretest.dat b/testing/tests/swanctl/ip-two-pools/pretest.dat new file mode 100755 index 000000000..95a32febc --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +alice::expect-connection home +alice::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/ip-two-pools/test.conf b/testing/tests/swanctl/ip-two-pools/test.conf new file mode 100755 index 000000000..5f67b7ed5 --- /dev/null +++ b/testing/tests/swanctl/ip-two-pools/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..aa6f98076 --- /dev/null +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files deleted file mode 100644 index 10c26aa15..000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files +++ /dev/null @@ -1,3 +0,0 @@ -sim_files { - simtriplets = "/etc/freeradius/triplets.dat" -} diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default index 91425f812..51b64a74b 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default @@ -2,8 +2,19 @@ authorize { preprocess chap mschap - sim_files + files suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } eap { ok = return } diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat deleted file mode 100644 index aaabab89e..000000000 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat +++ /dev/null @@ -1,6 +0,0 @@ -228060123456001,30000000000000000000000000000000,30112233,305566778899AABB -228060123456001,31000000000000000000000000000000,31112233,315566778899AABB -228060123456001,32000000000000000000000000000000,32112233,325566778899AABB -228060123456002,33000000000000000000000000000000,33112233,335566778899AABB -228060123456002,34000000000000000000000000000000,34112233,345566778899AABB -228060123456002,35000000000000000000000000000000,35112233,355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users index e69de29bb..aa6f98076 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat index 010a4f9c4..93b379348 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,4 +1,4 @@ carol::systemctl stop strongswan-swanctl dave::systemctl stop strongswan-swanctl moon::systemctl stop strongswan-swanctl -alice::killall radiusd +alice::killall freeradius diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat index 57d39a5e6..10150f03c 100644 --- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat @@ -1,10 +1,6 @@ -alice::cat /etc/freeradius/clients.conf -alice::cat /etc/freeradius/eap.conf -alice::cat /etc/freeradius/proxy.conf -alice::cat /etc/freeradius/triplets.dat carol::cat /etc/ipsec.d/triplets.dat dave::cat /etc/ipsec.d/triplets.dat -alice::radiusd +alice::freeradius moon::systemctl start strongswan-swanctl carol::systemctl start strongswan-swanctl dave::systemctl start strongswan-swanctl diff --git a/testing/tests/swanctl/nat-rw-psk/description.txt b/testing/tests/swanctl/nat-rw-psk/description.txt new file mode 100644 index 000000000..7754c7f39 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/description.txt @@ -0,0 +1,8 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway sun. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, the NAT-ed hosts alice and venus +ping the client bob behind the gateway sun. diff --git a/testing/tests/swanctl/nat-rw-psk/evaltest.dat b/testing/tests/swanctl/nat-rw-psk/evaltest.dat new file mode 100644 index 000000000..cd171e8c9 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/evaltest.dat @@ -0,0 +1,14 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=10.1.0.10 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=10.1.0.20 remote-host=192.168.0.2 remote-port=4500 remote-id=192.168.0.2 initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.10.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=192.168.0.2 remote-host=192.168.0.1.*remote-id=10.1.0.20.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2d601c122 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + nat-t { + local_addrs = 10.1.0.10 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = 10.1.0.10 + } + remote { + auth = psk + id = 192.168.0.2 + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-sun { + id = 192.168.0.2 + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..f7a542d4d --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,36 @@ +connections { + + nat-t { + local_addrs = 192.168.0.2 + + local { + auth = psk + id = 192.168.0.2 + } + remote { + auth = psk + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-alice { + id = 10.1.0.10 + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + ike-venus { + id = 10.1.0.20 + secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br + } +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..654489dfc --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + nat-t { + local_addrs = 10.1.0.20 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = 10.1.0.20 + } + remote { + auth = psk + id = 192.168.0.2 + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-sun { + id = 192.168.0.2 + secret = 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br + } +} + diff --git a/testing/tests/swanctl/nat-rw-psk/posttest.dat b/testing/tests/swanctl/nat-rw-psk/posttest.dat new file mode 100644 index 000000000..a41653640 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/posttest.dat @@ -0,0 +1,7 @@ +sun::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/swanctl/nat-rw-psk/pretest.dat b/testing/tests/swanctl/nat-rw-psk/pretest.dat new file mode 100644 index 000000000..906c5b006 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/pretest.dat @@ -0,0 +1,16 @@ +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +alice::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +venus::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +sun::cd /etc/swanctl; rm x509ca/* x509/* rsa/* +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl +sun::expect-connection nat-t +alice::expect-connection nat-t +alice::swanctl --initiate --child nat-t +venus::expect-connection nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/swanctl/nat-rw-psk/test.conf b/testing/tests/swanctl/nat-rw-psk/test.conf new file mode 100644 index 000000000..ecc95b837 --- /dev/null +++ b/testing/tests/swanctl/nat-rw-psk/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/nat-rw/description.txt b/testing/tests/swanctl/nat-rw/description.txt new file mode 100644 index 000000000..1ee91b74d --- /dev/null +++ b/testing/tests/swanctl/nat-rw/description.txt @@ -0,0 +1,8 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Authentication is based on X.509 certificates. +

+Upon the successful establishment of the IPsec tunnels, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the tunnel, the NAT-ed hosts alice and venus +ping the client bob behind the gateway sun. diff --git a/testing/tests/swanctl/nat-rw/evaltest.dat b/testing/tests/swanctl/nat-rw/evaltest.dat new file mode 100644 index 000000000..ae6aaed33 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/evaltest.dat @@ -0,0 +1,14 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES +alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16]::YES +venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw --ike-id 1 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32]::YES +sun:: swanctl --list-sas --raw --ike-id 2 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*name=nat-t.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]:YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..61f769637 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/alice/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + nat-t { + local_addrs = 10.1.0.10 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = aliceCert.pem + id = alice@strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..7625e5066 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} diff --git a/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..637260de8 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + nat-t { + local_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + } + children { + nat-t { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..fd9bf8c7c --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0ea7c4055 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/hosts/venus/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + nat-t { + local_addrs = 10.1.0.20 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = venusCert.pem + id = venus.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + nat-t { + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/nat-rw/posttest.dat b/testing/tests/swanctl/nat-rw/posttest.dat new file mode 100644 index 000000000..a41653640 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/posttest.dat @@ -0,0 +1,7 @@ +sun::systemctl stop strongswan-swanctl +alice::systemctl stop strongswan-swanctl +venus::systemctl stop strongswan-swanctl +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/swanctl/nat-rw/pretest.dat b/testing/tests/swanctl/nat-rw/pretest.dat new file mode 100644 index 000000000..63c9d359e --- /dev/null +++ b/testing/tests/swanctl/nat-rw/pretest.dat @@ -0,0 +1,13 @@ +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::systemctl start strongswan-swanctl +alice::systemctl start strongswan-swanctl +venus::systemctl start strongswan-swanctl +sun::expect-connection nat-t +alice::expect-connection nat-t +alice::swanctl --initiate --child nat-t +venus::expect-connection nat-t +venus::swanctl --initiate --child nat-t diff --git a/testing/tests/swanctl/nat-rw/test.conf b/testing/tests/swanctl/nat-rw/test.conf new file mode 100644 index 000000000..ecc95b837 --- /dev/null +++ b/testing/tests/swanctl/nat-rw/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-psk/description.txt b/testing/tests/swanctl/net2net-psk/description.txt new file mode 100755 index 000000000..e064a99de --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on Preshared Keys (PSK). +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/swanctl/net2net-psk/evaltest.dat b/testing/tests/swanctl/net2net-psk/evaltest.dat new file mode 100755 index 000000000..4c56d5299 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5e2480ee2 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,55 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = psk + id = moon.strongswan.org + } + remote { + auth = psk + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-1 { + id-1 = moon.strongswan.org + secret = 0x45a30759df97dc26a15b88ff + } + ike-2 { + id-2 = sun.strongswan.org + secret = "This is a strong password" + } + ike-3 { + id-3a = moon.strongswan.org + id-3b =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } + ike-4 { + secret = 'My "home" is my "castle"!' + } + ike-5 { + id-5 = 192.168.0.1 + secret = "Andi's home" + } +} \ No newline at end of file diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b6fc72b7a --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = psk + id = sun.strongswan.org + } + remote { + auth = psk + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} + +secrets { + ike-1 { + id-moon = moon.strongswan.org + id-sun =sun.strongswan.org + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/swanctl/net2net-psk/posttest.dat b/testing/tests/swanctl/net2net-psk/posttest.dat new file mode 100755 index 000000000..755f0e5f8 --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-psk/pretest.dat b/testing/tests/swanctl/net2net-psk/pretest.dat new file mode 100755 index 000000000..e82d539fb --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +sun::cd /etc/swanctl; rm rsa/* x509/* x509ca/* +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-psk/test.conf b/testing/tests/swanctl/net2net-psk/test.conf new file mode 100755 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/swanctl/net2net-psk/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-cert-pss/evaltest.dat b/testing/tests/swanctl/rw-cert-pss/evaltest.dat index a62fda968..c4106c678 100755 --- a/testing/tests/swanctl/rw-cert-pss/evaltest.dat +++ b/testing/tests/swanctl/rw-cert-pss/evaltest.dat @@ -1,7 +1,7 @@ -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES -moon ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256 successful::YES -moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512 successful::YES -moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384 successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES +dave ::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA_EMSA_PSS_SHA2_512_SALT_64 successful::YES +moon ::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA_EMSA_PSS_SHA2_384_SALT_48 successful::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES diff --git a/testing/tests/swanctl/rw-cert/description.txt b/testing/tests/swanctl/rw-cert/description.txt index 6af7a39ae..f190c0752 100755 --- a/testing/tests/swanctl/rw-cert/description.txt +++ b/testing/tests/swanctl/rw-cert/description.txt @@ -1,5 +1,6 @@ -The roadwarriors carol and dave set up a connection each +The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. +

Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt new file mode 100644 index 000000000..c39829dd5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/description.txt @@ -0,0 +1,11 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in swanctl.conf +is used instead of a USIM/(R)UIM device. +

+In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol +uses the EAP identity carol. diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat new file mode 100644 index 000000000..a655543f9 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1582b2b01 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..4aabbaba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1582b2b01 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d68d1f474 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-aka + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-id-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt new file mode 100644 index 000000000..0138e35f5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/description.txt @@ -0,0 +1,8 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Authentication and Key Agreement (EAP-AKA) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method used in UMTS, but here a secret defined in swanctl.conf +is used instead of a USIM/(R)UIM device. diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat new file mode 100644 index 000000000..0d4f74197 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..4d4fc3583 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e3d6e50c0 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d4fc3583 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..609309f05 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-aka + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = "Ar3etTnp01qlpOgb" + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-rsa/test.conf b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt new file mode 100644 index 000000000..42db2e199 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/description.txt @@ -0,0 +1,10 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. +

+The gateway forwards all EAP messages to the RADIUS server alice. +In addition to her IKEv2 identitycarol@strongswan.org, roadwarrior +carol uses the EAP identity carol. diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat new file mode 100644 index 000000000..3080ec15a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d2cc789b3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..590a2b7cf --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fa363c345 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..9a59fc15e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat new file mode 100644 index 000000000..84ba602c4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-radius/description.txt b/testing/tests/swanctl/rw-eap-md5-radius/description.txt new file mode 100644 index 000000000..f0f241dc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. +The gateway forwards all EAP messages to the RADIUS server alice. \ No newline at end of file diff --git a/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat new file mode 100644 index 000000000..09a78be83 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e57629f2e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..158c26b72 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ad6d62896 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat new file mode 100644 index 000000000..84ba602c4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-radius/test.conf b/testing/tests/swanctl/rw-eap-md5-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/description.txt b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt new file mode 100644 index 000000000..08fd89b65 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the MD5 (EAP-MD5) method of the +Extensible Authentication Protocol to authenticate herself. + diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat new file mode 100644 index 000000000..c0026af4f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e57629f2e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..158c26b72 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e57629f2e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown +} diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..13816d778 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,39 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-md5 + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} + diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-rsa/test.conf b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt new file mode 100644 index 000000000..95afc08b5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/description.txt @@ -0,0 +1,10 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the Microsoft CHAP version 2 (EAP-MSCHAPV2) +method of the Extensible Authentication Protocol to authenticate herself. +This EAP method is used e.g. by the Windows 7/8/10 Agile VPN client. +

+In addition to her IKEv2 identity which defaults to her IP address, +roadwarrior carol uses the EAP identity carol. diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat new file mode 100644 index 000000000..a1c2d4e88 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -0,0 +1,11 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol +moon:: cat /var/log/daemon.log::EAP method EAP_MSCHAPV2 succeeded, no MSK established +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d9210aeb5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown +} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1b5c5d99f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d9210aeb5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown +} diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d7c1f68ce --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-mschapv2 + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } + eap-dave { + id = dave + secret = W7R0g3do + } +} + diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-mschapv2-id-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-peap-md5/description.txt b/testing/tests/swanctl/rw-eap-peap-md5/description.txt new file mode 100644 index 000000000..7f9ade88a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The strong mutual authentication is based on EAP-PEAP only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on EAP-MD5 (phase2 of EAP-PEAP). +

+With the setting charon.plugins.eap-peap.phase2_piggyback = yes the server moon +initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request +right onto the TLS Finished message. Client carol presents the correct MD5 password +and succeeds whereas client dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat new file mode 100644 index 000000000..20ec1561e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..733ab2afb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..db82791b8 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..733ab2afb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7f3b8104b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4b5445999 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-peap { + phase2_method = md5 + phase2_piggyback = yes + } + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0bb3bfd28 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-peap + certs = moonCert.pem + } + remote { + auth = eap-peap + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat new file mode 100644 index 000000000..199873ba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat new file mode 100644 index 000000000..9ae476e64 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-md5/test.conf b/testing/tests/swanctl/rw-eap-peap-md5/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-md5/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt new file mode 100644 index 000000000..ef2d24f2f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The strong mutual authentication is based on EAP-PEAP only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on EAP-MSCHAPv2 (phase2 of EAP-PEAP). +

+Client carol presents the correct MSCHAPv2 password and succeeds whereas client +dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat new file mode 100644 index 000000000..dc56ba850 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..6f227cc3a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..db82791b8 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..6f227cc3a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7f3b8104b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap-peap + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3b498d93b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-peap { + phase2_method = mschapv2 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0bb3bfd28 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-peap + certs = moonCert.pem + } + remote { + auth = eap-peap + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat new file mode 100644 index 000000000..199873ba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat new file mode 100644 index 000000000..9ae476e64 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-mschapv2/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-peap-radius/description.txt b/testing/tests/swanctl/rw-eap-peap-radius/description.txt new file mode 100644 index 000000000..004068226 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol and dave et up an EAP-PEAP tunnel each via +gateway moon to the RADIUS server alice authenticated by an X.509 +AAA certificate. The strong EAP-PEAP tunnel protects the ensuing weak client +authentication based on EAP-MD5. carol presents the correct MD5 password +and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat new file mode 100644 index 000000000..291e249da --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..0ae8befe4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = peap + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + peap { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..11d3e2acd --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,18 @@ +eap { + md5 { + } + default_eap_type = peap + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + peap { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..cb7743f82 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7ffdd1f4c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..cb7743f82 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..97c0b7057 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ad6d62896 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat new file mode 100644 index 000000000..ff5f6e164 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-peap-radius/test.conf b/testing/tests/swanctl/rw-eap-peap-radius/test.conf new file mode 100644 index 000000000..0e5512b65 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-peap-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol winnetou dave moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt new file mode 100644 index 000000000..41abb363c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/description.txt @@ -0,0 +1,13 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice +which also uses static triplets. In addition to her IKEv2 identity +carol@strongswan.org, roadwarrior carol uses the EAP +identity 228060123456001. diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat new file mode 100644 index 000000000..038a2c1e1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2057b5193 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,58 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..1c281a974 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..783587b55 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..1dc666992 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,53 @@ +authorize { + files + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } + eap { + ok = return + } +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..1c281a974 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..c167ba940 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..11ae80c1e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2576209ef --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + eap_id=228060123456001 + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fa363c345 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..682136230 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat new file mode 100644 index 000000000..5d875ee77 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +carol::cat /etc/ipsec.d/triplets.dat +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-id-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt new file mode 100644 index 000000000..26de3c982 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/description.txt @@ -0,0 +1,15 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway does not send an AUTH payload thus signalling +a mutual EAP-only authentication. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice +which also uses static triplets. +

+The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat new file mode 100644 index 000000000..3d3359775 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/evaltest.dat @@ -0,0 +1,13 @@ +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..51b64a74b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,72 @@ +authorize { + preprocess + chap + mschap + files + suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a73f3003c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..a02a42c0d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB +dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB +dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0b1ffc462 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..09a2a5358 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat new file mode 100644 index 000000000..66c829747 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/pretest.dat @@ -0,0 +1,16 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +carol::cat /etc/ipsec.d/triplets.dat +dave::cat /etc/ipsec.d/triplets.dat +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf new file mode 100644 index 000000000..93f23f1d6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-only-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-radius/description.txt b/testing/tests/swanctl/rw-eap-sim-radius/description.txt new file mode 100644 index 000000000..5cb1bacdc --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/description.txt @@ -0,0 +1,15 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +At the outset the gateway authenticates itself to the clients by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next the clients use the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate themselves. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. +

+The gateway forwards all EAP messages to the RADIUS server alice +which also uses static triplets. +

+The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence +the RADIUS server alice returns an Access-Reject message +and the gateway moon sends back EAP_FAILURE. diff --git a/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat new file mode 100644 index 000000000..476e4e1fc --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/evaltest.dat @@ -0,0 +1,13 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..71fa4f18c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + files + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..51b64a74b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,72 @@ +authorize { + preprocess + chap + mschap + files + suffix + update reply { + EAP-Sim-Rand1 := "%{control:EAP-Sim-Rand1}" + EAP-Sim-Rand2 := "%{control:EAP-Sim-Rand2}" + EAP-Sim-Rand3 := "%{control:EAP-Sim-Rand3}" + EAP-Sim-SRES1 := "%{control:EAP-Sim-SRES1}" + EAP-Sim-SRES2 := "%{control:EAP-Sim-SRES2}" + EAP-Sim-SRES3 := "%{control:EAP-Sim-SRES3}" + EAP-Sim-KC1 := "%{control:EAP-Sim-KC1}" + EAP-Sim-KC2 := "%{control:EAP-Sim-KC2}" + EAP-Sim-KC3 := "%{control:EAP-Sim-KC3}" + } + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..a74267d30 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB +dave@strongswan.org EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1433bb561 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..a02a42c0d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +dave@strongswan.org,33000000000000000000000000000000,33112244,335566778899AABB +dave@strongswan.org,34000000000000000000000000000000,34112244,345566778899AABB +dave@strongswan.org,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e573c9933 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e11667564 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat new file mode 100644 index 000000000..66c829747 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/pretest.dat @@ -0,0 +1,16 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +carol::cat /etc/ipsec.d/triplets.dat +dave::cat /etc/ipsec.d/triplets.dat +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-radius/test.conf b/testing/tests/swanctl/rw-eap-sim-radius/test.conf new file mode 100644 index 000000000..93f23f1d6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/description.txt b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt new file mode 100644 index 000000000..4401e679f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/description.txt @@ -0,0 +1,8 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses the GSM Subscriber Identity Module (EAP-SIM) +method of the Extensible Authentication Protocol to authenticate herself. +In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used +instead of a physical SIM card. diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat new file mode 100644 index 000000000..1e967896e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1433bb561 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..83906807f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB +carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB +carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bcd8ef0e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..6028df452 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-sim + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat new file mode 100644 index 000000000..8cc1c4dc5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-sim-rsa/test.conf b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-sim-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-only/description.txt b/testing/tests/swanctl/rw-eap-tls-only/description.txt new file mode 100644 index 000000000..b3e0450a4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/description.txt @@ -0,0 +1,4 @@ +The roadwarrior carol sets up a connection to gateway moon. +The strong mutual authentication of both peers is based on EAP-TLS only +(without a separate IKEv2 authentication), using TLS client and server certificates, +respectively. diff --git a/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat new file mode 100644 index 000000000..52dc51a62 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c25dc8398 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..cc3e77095 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = carolCert.pem + } + remote { + auth = eap-tls + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c69b0d77b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} \ No newline at end of file diff --git a/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..51150c77c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = moonCert.pem + } + remote { + auth = eap-tls + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-only/posttest.dat b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat new file mode 100644 index 000000000..2b00bea8e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-only/pretest.dat b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat new file mode 100644 index 000000000..90445d430 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-only/test.conf b/testing/tests/swanctl/rw-eap-tls-only/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-only/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-radius/description.txt b/testing/tests/swanctl/rw-eap-tls-radius/description.txt new file mode 100644 index 000000000..d635ae33e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol uses a mutual EAP-TLS authentication based +on X.509 certificates. The gateway forwards all EAP messages to the +AAA RADIUS server alice. diff --git a/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat new file mode 100644 index 000000000..e3b7cf39a --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..e8670dbb7 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,16 @@ +eap { + default_eap_type = tls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + tls { + tls = tls-common + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..060702784 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,55 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + eap { + ok = return + } + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..e69de29bb diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..92f96ad66 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,13 @@ +eap { + default_eap_type = tls + tls { + certdir = /etc/raddb/certs + cadir = /etc/raddb/certs + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..18ebf9e9d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,41 @@ +authorize { + eap { + ok = return + } +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..247b918e3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "Ar3etTnp" diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..585019e47 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown + + multiple_authentication = no + syslog { + daemon { + tls = 2 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..58786ba87 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + certs = carolCert.pem + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ebe5ffab7 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + } + remote { + auth = eap-radius + id = "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat new file mode 100644 index 000000000..f32a56960 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/posttest.dat @@ -0,0 +1,5 @@ +carol::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat new file mode 100644 index 000000000..299fccfeb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-radius/test.conf b/testing/tests/swanctl/rw-eap-tls-radius/test.conf new file mode 100644 index 000000000..0d9e9f3d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-ttls-only/description.txt b/testing/tests/swanctl/rw-eap-ttls-only/description.txt new file mode 100644 index 000000000..19c00531e --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The strong mutual authentication is based on EAP-TTLS only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client +authentication based on EAP-MD5 (phase2 of EAP-TTLS). +

+With the default setting charon.plugins.eap-ttls.phase2_piggyback = no the server +moon passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by +sending a tunneled orphan EAP Identity response upon the reception of the server's TLS +Finished message. Client carol presents the correct MD5 password and succeeds +whereas client dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat new file mode 100644 index 000000000..00282ab2b --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f39a874a4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..184aaa5d3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = eap-ttls + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..f39a874a4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..a77bd0079 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + } + remote { + auth = eap-ttls + id = "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..860fbf3ac --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } + plugins { + eap-ttls { + phase2_method = md5 + } + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5ee0c57a3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,37 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = eap-ttls + certs = moonCert.pem + } + remote { + auth = eap-ttls + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } + eap-dave { + id = dave@strongswan.org + secret = W7R0g3do + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat new file mode 100644 index 000000000..199873ba1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/posttest.dat @@ -0,0 +1,6 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat new file mode 100644 index 000000000..9ae476e64 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-ttls-only/test.conf b/testing/tests/swanctl/rw-eap-ttls-only/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-only/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt new file mode 100644 index 000000000..479350c2f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 digital signature accompanied by an X.509 certificate. +

+Next carol and dave et up an EAP-TTLS tunnel each via +gateway moon to the RADIUS server alice authenticated by an X.509 +AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client +authentication based on EAP-MD5. carol presents the correct MD5 password +and succeeds whereas dave chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat new file mode 100644 index 000000000..df4f0d550 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7450c71c4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = ttls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + ttls { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..c91cd40fb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,18 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d90ccc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7ffdd1f4c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85d90ccc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..97c0b7057 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ad6d62896 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat new file mode 100644 index 000000000..ff5f6e164 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/test.conf b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf new file mode 100644 index 000000000..0e5512b65 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol winnetou dave moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt deleted file mode 100644 index 8ce1157e9..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The Dummy IMC and IMV from the - -TNC@FHH project are used which communicate over a proprietary protocol. -

-carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. - diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat deleted file mode 100644 index 0b7655bdd..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf deleted file mode 100644 index b094a3aaa..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 0f266dd93..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = carol@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config deleted file mode 100644 index d2fabe109..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so -#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf deleted file mode 100644 index b094a3aaa..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 989ab88c7..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = dave@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config deleted file mode 100644 index d2fabe109..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so -#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf deleted file mode 100644 index aacee2221..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown - - multiple_authentication = no - - syslog { - daemon { - tnc = 3 - } - } - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - phase2_tnc_method = tnc - } - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 1238c1a91..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,64 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap-carol { - id = carol@strongswan.org - secret = "Ar3etTnp" - } - eap-dave { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy deleted file mode 100644 index d00491fd7..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy deleted file mode 100644 index d8215dd3c..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy +++ /dev/null @@ -1,40 +0,0 @@ -#FTP - File Transfer Protocol -TCP 20 = whatever -TCP 21 = close - -#SSH - Secure Shell -TCP 22 = whatever - -#Telnet -TCP 23 = close - -#E-Mail -# -#SMTP - Simple Mail Transfer Protocol -TCP 25 = close -TCP 587 = close -#POP3 - Post Office Protocol version 3 -TCP 110 = close -TCP 995 = close - -#DNS - Domain Name System -UDP 53 = close -TCP 53 = close - -#BOOTP/DHCP - Bootstrap Protocol / -#Dynamic Host Configuration Protocol -UDP 67 = close -#UDP 68 = open -UDP 68 = whatever - -#www - World Wide Web -#HTTP - Hypertext Transfer Protocol -TCP 80 = close -#HTTPS - Hypertext Transfer Protocol Secure -TCP 443 = close - -#examples -TCP 8080 = close -TCP 5223 = whatever -UDP 4444 = close -UDP 631 = whatever diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties deleted file mode 100644 index 122d798b3..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config deleted file mode 100644 index 140caa98f..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so -#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat deleted file mode 100644 index 199873ba1..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat deleted file mode 100644 index 79340af29..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf deleted file mode 100644 index 61f2312af..000000000 --- a/testing/tests/tnc/tnccs-11-fhh/test.conf +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt deleted file mode 100644 index 67b1a2a34..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/description.txt +++ /dev/null @@ -1,14 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to the - -TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The IMC and IMV communicate are using the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements carol -is authenticated successfully and is granted access to the subnet behind moon whereas -dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat deleted file mode 100644 index b2fc61949..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat +++ /dev/null @@ -1,15 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home::NO -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 7622801ab..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - assessment_result = no - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 305a9d1e6..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = allow - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index ff58c7c9a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = carol@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 5d17eb638..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = none - } - imc-scanner { - push_info = no - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 5af2098b6..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = dave@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4c9dd6e1f..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown - - multiple_authentication=no - - plugins { - eap-radius { - secret = gv6URkSs - server = 10.1.0.10 - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 28b32b74c..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,27 +0,0 @@ -connections { - - rw { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - certs = moonCert.pem - } - remote { - auth = eap-radius - id = *@strongswan.org - } - children { - rw { - local_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat deleted file mode 100644 index 0d96563c1..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat deleted file mode 100644 index efddc609e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ /dev/null @@ -1,21 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw -carol::expect-connection home -carol::swanctl --initiate --child home -dave::expect-connection home -dave::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf deleted file mode 100644 index 8d7f51449..000000000 --- a/testing/tests/tnc/tnccs-11-radius-block/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt deleted file mode 100644 index d5729dd7b..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/description.txt +++ /dev/null @@ -1,14 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to the - -TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The communication between the OS and Attestation IMC and the Attestation IMV is based on the - IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat deleted file mode 100644 index 588ddf469..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql deleted file mode 100644 index d87b5e7f9..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql +++ /dev/null @@ -1,29 +0,0 @@ -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) -SELECT 'aabbccddeeff11223344556677889900', id, 1372330615 -FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 16, 2, 0 -); - -DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf deleted file mode 100644 index a3f4ca12c..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce openssl pubkey sqlite - debug_level = 3 - database = sqlite:///etc/db.d/config.db - policy_script = /usr/local/libexec/ipsec/imv_policy_manager - assessment_result = no -} - -attest { - database = sqlite:///etc/db.d/config.db -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config deleted file mode 100644 index b5ac8c178..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so -IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf deleted file mode 100644 index a534ac66e..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 1516ad726..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = carol@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - proposals = aes128-sha256-ecp256 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config deleted file mode 100644 index 15dc93a0a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 469e81156..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - retransmit_tries = 5 - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 07b35dcb9..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = dave@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - proposals = aes128-sha256-ecp256 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config deleted file mode 100644 index 15dc93a0a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf deleted file mode 100644 index cbaf67c89..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown - - multiple_authentication=no - - plugins { - eap-radius { - secret = gv6URkSs - server = 10.1.0.10 - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 096eb7b5a..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,53 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - certs = moonCert.pem - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-ecp256 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-ecp256 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-ecp256 - } -} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat deleted file mode 100644 index ab96df0ed..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat deleted file mode 100644 index 7d0dfa385..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ /dev/null @@ -1,28 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -carol::echo 0 > /proc/sys/net/ipv4/ip_forward -dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -moon::expect-connection rw-isolate -carol::expect-connection home -carol::swanctl --initiate --child home -dave::expect-connection home -dave::swanctl --initiate --child home -alice::ipsec attest --sessions -alice::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf deleted file mode 100644 index 05d40f98d..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# Guest instances on which databases are used -# -DBHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt deleted file mode 100644 index 4017c6eda..000000000 --- a/testing/tests/tnc/tnccs-11-radius/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to the - -TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The communication between IMCs and IMVs is based on the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat deleted file mode 100644 index cbafc1303..000000000 --- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 7622801ab..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - assessment_result = no - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 1ca6c3d10..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = allow - } - } -} -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index ff58c7c9a..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = carol@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 9df983c80..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown - - multiple_authentication=no - - syslog { - daemon { - tnc = 3 - imc = 3 - } - } - plugins { - eap-tnc { - protocol = tnccs-1.1 - } - } -} - -libimcv { - plugins { - imc-test { - command = isolate - } - imc-scanner { - push_info = no - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 5af2098b6..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap - aaa_id = aaa.strongswan.org - id = dave@strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4c9dd6e1f..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown - - multiple_authentication=no - - plugins { - eap-radius { - secret = gv6URkSs - server = 10.1.0.10 - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 3caad0c66..000000000 --- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,53 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - certs = moonCert.pem - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = pubkey - id = moon.strongswan.org - } - remote { - auth = eap-radius - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat deleted file mode 100644 index 0d96563c1..000000000 --- a/testing/tests/tnc/tnccs-11-radius/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat deleted file mode 100644 index bb2ce93b3..000000000 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ /dev/null @@ -1,22 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -moon::expect-connection rw-isolate -carol::expect-connection home -carol::swanctl --initiate --child home -dave::expect-connection home -dave::swanctl --initiate --child home diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf deleted file mode 100644 index 8d7f51449..000000000 --- a/testing/tests/tnc/tnccs-11-radius/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt deleted file mode 100644 index 5d0155382..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The layer 2 supplicants carol and dave want to connect to a network -via switch moon which delegates the IEEE 802.1X authentication to the RADIUS -server alice. carol and dave set up an EAP-TTLS tunnel -each via moon to the TNC@FHH-enhanced FreeRADIUS server alice authenticated -by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -The communication between IMCs and IMVs is based on the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by switch moon to the "allow" and "isolate" VLANs, respectively. diff --git a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat deleted file mode 100644 index 2d43b3c7b..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat +++ /dev/null @@ -1,2 +0,0 @@ -carol::cat /var/log/daemon.log::IMC.*changed state.*Allowed::YES -dave:: cat /var/log/daemon.log::IMC.*changed state.*Isolate::YES diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default deleted file mode 100644 index dd0825858..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default +++ /dev/null @@ -1,43 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second deleted file mode 100644 index c5bde6a9e..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 7622801ab..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - assessment_result = no - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties deleted file mode 100644 index 2bdc6e4de..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 965752b5e..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - plugins { - imc-test { - command = allow - } - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 00ef0f516..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1 +0,0 @@ -# The strongSwan IMCs are loaded by the WPA supplicant diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config deleted file mode 100644 index b4288fd53..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf deleted file mode 100644 index 92d84f570..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf +++ /dev/null @@ -1,10 +0,0 @@ - network={ - ssid="eap_ttls" - scan_ssid=0 - key_mgmt=IEEE8021X - eap=TTLS - identity="carol" - password="Ar3etTnp" - ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" - id_str="" - } diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf deleted file mode 100644 index ca1f7d9a5..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - load = random nonce sha1 sha2 md5 gmp pubkey x509 - debug_level = 3 - plugins { - imc-test { - command = isolate - } - } -} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 00ef0f516..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1 +0,0 @@ -# The strongSwan IMCs are loaded by the WPA supplicant diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config deleted file mode 100644 index b4288fd53..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf deleted file mode 100644 index 37a343df6..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf +++ /dev/null @@ -1,10 +0,0 @@ - network={ - ssid="eap_ttls" - scan_ssid=0 - key_mgmt=IEEE8021X - eap=TTLS - identity="dave" - password="W7R0g3do" - ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" - id_str="" - } diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf deleted file mode 100644 index c84fcbd91..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf +++ /dev/null @@ -1,1127 +0,0 @@ -##### hostapd configuration file ############################################## -# Empty lines and lines starting with # are ignored - -# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for -# management frames); ath0 for madwifi -interface=eth0 - -# In case of madwifi, atheros, and nl80211 driver interfaces, an additional -# configuration parameter, bridge, may be used to notify hostapd if the -# interface is included in a bridge. This parameter is not used with Host AP -# driver. If the bridge parameter is not set, the drivers will automatically -# figure out the bridge interface (assuming sysfs is enabled and mounted to -# /sys) and this parameter may not be needed. -# -# For nl80211, this parameter can be used to request the AP interface to be -# added to the bridge automatically (brctl may refuse to do this before hostapd -# has been started to change the interface mode). If needed, the bridge -# interface is also created. -#bridge=br0 - -# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd); -# default: hostap). nl80211 is used with all Linux mac80211 drivers. -# Use driver=none if building hostapd as a standalone RADIUS server that does -# not control any wireless/wired driver. -driver=wired - -# hostapd event logger configuration -# -# Two output method: syslog and stdout (only usable if not forking to -# background). -# -# Module bitfield (ORed bitfield of modules that will be logged; -1 = all -# modules): -# bit 0 (1) = IEEE 802.11 -# bit 1 (2) = IEEE 802.1X -# bit 2 (4) = RADIUS -# bit 3 (8) = WPA -# bit 4 (16) = driver interface -# bit 5 (32) = IAPP -# bit 6 (64) = MLME -# -# Levels (minimum value for logged events): -# 0 = verbose debugging -# 1 = debugging -# 2 = informational messages -# 3 = notification -# 4 = warning -# -logger_syslog=-1 -logger_syslog_level=2 -logger_stdout=-1 -logger_stdout_level=0 - -# Dump file for state information (on SIGUSR1) -dump_file=/tmp/hostapd.dump - -# Interface for separate control program. If this is specified, hostapd -# will create this directory and a UNIX domain socket for listening to requests -# from external programs (CLI/GUI, etc.) for status information and -# configuration. The socket file will be named based on the interface name, so -# multiple hostapd processes/interfaces can be run at the same time if more -# than one interface is used. -# /var/run/hostapd is the recommended directory for sockets and by default, -# hostapd_cli will use it when trying to connect with hostapd. -ctrl_interface=/var/run/hostapd - -# Access control for the control interface can be configured by setting the -# directory to allow only members of a group to use sockets. This way, it is -# possible to run hostapd as root (since it needs to change network -# configuration and open raw sockets) and still allow GUI/CLI components to be -# run as non-root users. However, since the control interface can be used to -# change the network configuration, this access needs to be protected in many -# cases. By default, hostapd is configured to use gid 0 (root). If you -# want to allow non-root users to use the contron interface, add a new group -# and change this value to match with that group. Add users that should have -# control interface access to this group. -# -# This variable can be a group name or gid. -#ctrl_interface_group=wheel -ctrl_interface_group=0 - - -##### IEEE 802.11 related configuration ####################################### - -# SSID to be used in IEEE 802.11 management frames -#ssid=test - -# Country code (ISO/IEC 3166-1). Used to set regulatory domain. -# Set as needed to indicate country in which device is operating. -# This can limit available channels and transmit power. -#country_code=US - -# Enable IEEE 802.11d. This advertises the country_code and the set of allowed -# channels and transmit power levels based on the regulatory limits. The -# country_code setting must be configured with the correct country for -# IEEE 802.11d functions. -# (default: 0 = disabled) -#ieee80211d=1 - -# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g, -# Default: IEEE 802.11b -hw_mode=g - -# Channel number (IEEE 802.11) -# (default: 0, i.e., not set) -# Please note that some drivers do not use this value from hostapd and the -# channel will need to be configured separately with iwconfig. -channel=1 - -# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) -beacon_int=100 - -# DTIM (delivery traffic information message) period (range 1..255): -# number of beacons between DTIMs (1 = every beacon includes DTIM element) -# (default: 2) -dtim_period=2 - -# Maximum number of stations allowed in station table. New stations will be -# rejected after the station table is full. IEEE 802.11 has a limit of 2007 -# different association IDs, so this number should not be larger than that. -# (default: 2007) -max_num_sta=255 - -# RTS/CTS threshold; 2347 = disabled (default); range 0..2347 -# If this field is not included in hostapd.conf, hostapd will not control -# RTS threshold and 'iwconfig wlan# rts ' can be used to set it. -rts_threshold=2347 - -# Fragmentation threshold; 2346 = disabled (default); range 256..2346 -# If this field is not included in hostapd.conf, hostapd will not control -# fragmentation threshold and 'iwconfig wlan# frag ' can be used to set -# it. -fragm_threshold=2346 - -# Rate configuration -# Default is to enable all rates supported by the hardware. This configuration -# item allows this list be filtered so that only the listed rates will be left -# in the list. If the list is empty, all rates are used. This list can have -# entries that are not in the list of rates the hardware supports (such entries -# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110. -# If this item is present, at least one rate have to be matching with the rates -# hardware supports. -# default: use the most common supported rate setting for the selected -# hw_mode (i.e., this line can be removed from configuration file in most -# cases) -#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540 - -# Basic rate set configuration -# List of rates (in 100 kbps) that are included in the basic rate set. -# If this item is not included, usually reasonable default set is used. -#basic_rates=10 20 -#basic_rates=10 20 55 110 -#basic_rates=60 120 240 - -# Short Preamble -# This parameter can be used to enable optional use of short preamble for -# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance. -# This applies only to IEEE 802.11b-compatible networks and this should only be -# enabled if the local hardware supports use of short preamble. If any of the -# associated STAs do not support short preamble, use of short preamble will be -# disabled (and enabled when such STAs disassociate) dynamically. -# 0 = do not allow use of short preamble (default) -# 1 = allow use of short preamble -#preamble=1 - -# Station MAC address -based authentication -# Please note that this kind of access control requires a driver that uses -# hostapd to take care of management frame processing and as such, this can be -# used with driver=hostap or driver=nl80211, but not with driver=madwifi. -# 0 = accept unless in deny list -# 1 = deny unless in accept list -# 2 = use external RADIUS server (accept/deny lists are searched first) -macaddr_acl=0 - -# Accept/deny lists are read from separate files (containing list of -# MAC addresses, one per line). Use absolute path name to make sure that the -# files can be read on SIGHUP configuration reloads. -#accept_mac_file=/etc/hostapd.accept -#deny_mac_file=/etc/hostapd.deny - -# IEEE 802.11 specifies two authentication algorithms. hostapd can be -# configured to allow both of these or only one. Open system authentication -# should be used with IEEE 802.1X. -# Bit fields of allowed authentication algorithms: -# bit 0 = Open System Authentication -# bit 1 = Shared Key Authentication (requires WEP) -auth_algs=3 - -# Send empty SSID in beacons and ignore probe request frames that do not -# specify full SSID, i.e., require stations to know SSID. -# default: disabled (0) -# 1 = send empty (length=0) SSID in beacon and ignore probe request for -# broadcast SSID -# 2 = clear SSID (ASCII 0), but keep the original length (this may be required -# with some clients that do not support empty SSID) and ignore probe -# requests for broadcast SSID -ignore_broadcast_ssid=0 - -# TX queue parameters (EDCF / bursting) -# tx_queue__ -# queues: data0, data1, data2, data3, after_beacon, beacon -# (data0 is the highest priority queue) -# parameters: -# aifs: AIFS (default 2) -# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023) -# cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin -# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for -# bursting -# -# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): -# These parameters are used by the access point when transmitting frames -# to the clients. -# -# Low priority / AC_BK = background -#tx_queue_data3_aifs=7 -#tx_queue_data3_cwmin=15 -#tx_queue_data3_cwmax=1023 -#tx_queue_data3_burst=0 -# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 -# -# Normal priority / AC_BE = best effort -#tx_queue_data2_aifs=3 -#tx_queue_data2_cwmin=15 -#tx_queue_data2_cwmax=63 -#tx_queue_data2_burst=0 -# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 -# -# High priority / AC_VI = video -#tx_queue_data1_aifs=1 -#tx_queue_data1_cwmin=7 -#tx_queue_data1_cwmax=15 -#tx_queue_data1_burst=3.0 -# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 -# -# Highest priority / AC_VO = voice -#tx_queue_data0_aifs=1 -#tx_queue_data0_cwmin=3 -#tx_queue_data0_cwmax=7 -#tx_queue_data0_burst=1.5 -# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3 - -# 802.1D Tag (= UP) to AC mappings -# WMM specifies following mapping of data frames to different ACs. This mapping -# can be configured using Linux QoS/tc and sch_pktpri.o module. -# 802.1D Tag 802.1D Designation Access Category WMM Designation -# 1 BK AC_BK Background -# 2 - AC_BK Background -# 0 BE AC_BE Best Effort -# 3 EE AC_BE Best Effort -# 4 CL AC_VI Video -# 5 VI AC_VI Video -# 6 VO AC_VO Voice -# 7 NC AC_VO Voice -# Data frames with no priority information: AC_BE -# Management frames: AC_VO -# PS-Poll frames: AC_BE - -# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): -# for 802.11a or 802.11g networks -# These parameters are sent to WMM clients when they associate. -# The parameters will be used by WMM clients for frames transmitted to the -# access point. -# -# note - txop_limit is in units of 32microseconds -# note - acm is admission control mandatory flag. 0 = admission control not -# required, 1 = mandatory -# note - here cwMin and cmMax are in exponent form. the actual cw value used -# will be (2^n)-1 where n is the value given here -# -wmm_enabled=1 -# -# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] -# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) -#uapsd_advertisement_enabled=1 -# -# Low priority / AC_BK = background -wmm_ac_bk_cwmin=4 -wmm_ac_bk_cwmax=10 -wmm_ac_bk_aifs=7 -wmm_ac_bk_txop_limit=0 -wmm_ac_bk_acm=0 -# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 -# -# Normal priority / AC_BE = best effort -wmm_ac_be_aifs=3 -wmm_ac_be_cwmin=4 -wmm_ac_be_cwmax=10 -wmm_ac_be_txop_limit=0 -wmm_ac_be_acm=0 -# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 -# -# High priority / AC_VI = video -wmm_ac_vi_aifs=2 -wmm_ac_vi_cwmin=3 -wmm_ac_vi_cwmax=4 -wmm_ac_vi_txop_limit=94 -wmm_ac_vi_acm=0 -# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 -# -# Highest priority / AC_VO = voice -wmm_ac_vo_aifs=2 -wmm_ac_vo_cwmin=2 -wmm_ac_vo_cwmax=3 -wmm_ac_vo_txop_limit=47 -wmm_ac_vo_acm=0 -# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 - -# Static WEP key configuration -# -# The key number to use when transmitting. -# It must be between 0 and 3, and the corresponding key must be set. -# default: not set -#wep_default_key=0 -# The WEP keys to use. -# A key may be a quoted string or unquoted hexadecimal digits. -# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 -# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or -# 128-bit (152-bit) WEP is used. -# Only the default key must be supplied; the others are optional. -# default: not set -#wep_key0=123456789a -#wep_key1="vwxyz" -#wep_key2=0102030405060708090a0b0c0d -#wep_key3=".2.4.6.8.0.23" - -# Station inactivity limit -# -# If a station does not send anything in ap_max_inactivity seconds, an -# empty data frame is sent to it in order to verify whether it is -# still in range. If this frame is not ACKed, the station will be -# disassociated and then deauthenticated. This feature is used to -# clear station table of old entries when the STAs move out of the -# range. -# -# The station can associate again with the AP if it is still in range; -# this inactivity poll is just used as a nicer way of verifying -# inactivity; i.e., client will not report broken connection because -# disassociation frame is not sent immediately without first polling -# the STA with a data frame. -# default: 300 (i.e., 5 minutes) -ap_max_inactivity=30 - -# Disassociate stations based on excessive transmission failures or other -# indications of connection loss. This depends on the driver capabilities and -# may not be available with all drivers. -#disassoc_low_ack=1 - -# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to -# remain asleep). Default: 65535 (no limit apart from field size) -#max_listen_interval=100 - -# WDS (4-address frame) mode with per-station virtual interfaces -# (only supported with driver=nl80211) -# This mode allows associated stations to use 4-address frames to allow layer 2 -# bridging to be used. -#wds_sta=1 - -# If bridge parameter is set, the WDS STA interface will be added to the same -# bridge by default. This can be overridden with the wds_bridge parameter to -# use a separate bridge. -#wds_bridge=wds-br0 - -# Client isolation can be used to prevent low-level bridging of frames between -# associated stations in the BSS. By default, this bridging is allowed. -#ap_isolate=1 - -##### IEEE 802.11n related configuration ###################################### - -# ieee80211n: Whether IEEE 802.11n (HT) is enabled -# 0 = disabled (default) -# 1 = enabled -# Note: You will also need to enable WMM for full HT functionality. -#ieee80211n=1 - -# ht_capab: HT capabilities (list of flags) -# LDPC coding capability: [LDPC] = supported -# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary -# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz -# with secondary channel below the primary channel -# (20 MHz only if neither is set) -# Note: There are limits on which channels can be used with HT40- and -# HT40+. Following table shows the channels that may be available for -# HT40- and HT40+ use per IEEE 802.11n Annex J: -# freq HT40- HT40+ -# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) -# 5 GHz 40,48,56,64 36,44,52,60 -# (depending on the location, not all of these channels may be available -# for use) -# Please note that 40 MHz channels may switch their primary and secondary -# channels if needed or creation of 40 MHz channel maybe rejected based -# on overlapping BSSes. These changes are done automatically when hostapd -# is setting up the 40 MHz channel. -# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] -# (SMPS disabled if neither is set) -# HT-greenfield: [GF] (disabled if not set) -# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) -# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) -# Tx STBC: [TX-STBC] (disabled if not set) -# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial -# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC -# disabled if none of these set -# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) -# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not -# set) -# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) -# PSMP support: [PSMP] (disabled if not set) -# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) -#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] - -# Require stations to support HT PHY (reject association if they do not) -#require_ht=1 - -##### IEEE 802.1X-2004 related configuration ################################## - -# Require IEEE 802.1X authorization -ieee8021x=1 - -# IEEE 802.1X/EAPOL version -# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL -# version 2. However, there are many client implementations that do not handle -# the new version number correctly (they seem to drop the frames completely). -# In order to make hostapd interoperate with these clients, the version number -# can be set to the older version (1) with this configuration value. -#eapol_version=2 - -# Optional displayable message sent with EAP Request-Identity. The first \0 -# in this string will be converted to ASCII-0 (nul). This can be used to -# separate network info (comma separated list of attribute=value pairs); see, -# e.g., RFC 4284. -#eap_message=hello -#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com - -# WEP rekeying (disabled if key lengths are not set or are set to 0) -# Key lengths for default/broadcast and individual/unicast keys: -# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) -# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) -#wep_key_len_broadcast=5 -#wep_key_len_unicast=5 -# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) -#wep_rekey_period=300 - -# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if -# only broadcast keys are used) -eapol_key_index_workaround=0 - -# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable -# reauthentication). -#eap_reauth_period=3600 - -# Use PAE group address (01:80:c2:00:00:03) instead of individual target -# address when sending EAPOL frames with driver=wired. This is the most common -# mechanism used in wired authentication, but it also requires that the port -# is only used by one station. -#use_pae_group_addr=1 - -##### Integrated EAP server ################################################### - -# Optionally, hostapd can be configured to use an integrated EAP server -# to process EAP authentication locally without need for an external RADIUS -# server. This functionality can be used both as a local authentication server -# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - -# Use integrated EAP server instead of external RADIUS authentication -# server. This is also needed if hostapd is configured to act as a RADIUS -# authentication server. -eap_server=0 - -# Path for EAP server user database -#eap_user_file=/etc/hostapd.eap_user - -# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS -#ca_cert=/etc/hostapd.ca.pem - -# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS -#server_cert=/etc/hostapd.server.pem - -# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS -# This may point to the same file as server_cert if both certificate and key -# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be -# used by commenting out server_cert and specifying the PFX file as the -# private_key. -#private_key=/etc/hostapd.server.prv - -# Passphrase for private key -#private_key_passwd=secret passphrase - -# Enable CRL verification. -# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a -# valid CRL signed by the CA is required to be included in the ca_cert file. -# This can be done by using PEM format for CA certificate and CRL and -# concatenating these into one file. Whenever CRL changes, hostapd needs to be -# restarted to take the new CRL into use. -# 0 = do not verify CRLs (default) -# 1 = check the CRL of the user certificate -# 2 = check all CRLs in the certificate path -#check_crl=1 - -# dh_file: File path to DH/DSA parameters file (in PEM format) -# This is an optional configuration file for setting parameters for an -# ephemeral DH key exchange. In most cases, the default RSA authentication does -# not use this configuration. However, it is possible setup RSA to use -# ephemeral DH key exchange. In addition, ciphers with DSA keys always use -# ephemeral DH keys. This can be used to achieve forward secrecy. If the file -# is in DSA parameters format, it will be automatically converted into DH -# params. This parameter is required if anonymous EAP-FAST is used. -# You can generate DH parameters file with OpenSSL, e.g., -# "openssl dhparam -out /etc/hostapd.dh.pem 1024" -#dh_file=/etc/hostapd.dh.pem - -# Fragment size for EAP methods -#fragment_size=1400 - -# Configuration data for EAP-SIM database/authentication gateway interface. -# This is a text string in implementation specific format. The example -# implementation in eap_sim_db.c uses this as the UNIX domain socket name for -# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:" -# prefix. -#eap_sim_db=unix:/tmp/hlr_auc_gw.sock - -# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret, -# random value. It is configured as a 16-octet value in hex format. It can be -# generated, e.g., with the following command: -# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' ' -#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f - -# EAP-FAST authority identity (A-ID) -# A-ID indicates the identity of the authority that issues PACs. The A-ID -# should be unique across all issuing servers. In theory, this is a variable -# length field, but due to some existing implementations requiring A-ID to be -# 16 octets in length, it is strongly recommended to use that length for the -# field to provid interoperability with deployed peer implementations. This -# field is configured in hex format. -#eap_fast_a_id=101112131415161718191a1b1c1d1e1f - -# EAP-FAST authority identifier information (A-ID-Info) -# This is a user-friendly name for the A-ID. For example, the enterprise name -# and server name in a human-readable format. This field is encoded as UTF-8. -#eap_fast_a_id_info=test server - -# Enable/disable different EAP-FAST provisioning modes: -#0 = provisioning disabled -#1 = only anonymous provisioning allowed -#2 = only authenticated provisioning allowed -#3 = both provisioning modes allowed (default) -#eap_fast_prov=3 - -# EAP-FAST PAC-Key lifetime in seconds (hard limit) -#pac_key_lifetime=604800 - -# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard -# limit). The server will generate a new PAC-Key when this number of seconds -# (or fewer) of the lifetime remains. -#pac_key_refresh_time=86400 - -# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND -# (default: 0 = disabled). -#eap_sim_aka_result_ind=1 - -# Trusted Network Connect (TNC) -# If enabled, TNC validation will be required before the peer is allowed to -# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other -# EAP method is enabled, the peer will be allowed to connect without TNC. -#tnc=1 - - -##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### - -# Interface to be used for IAPP broadcast packets -#iapp_interface=eth0 - - -##### RADIUS client configuration ############################################# -# for IEEE 802.1X with external Authentication Server, IEEE 802.11 -# authentication with external ACL for MAC addresses, and accounting - -# The own IP address of the access point (used as NAS-IP-Address) -own_ip_addr=10.1.0.1 - -# Optional NAS-Identifier string for RADIUS messages. When used, this should be -# a unique to the NAS within the scope of the RADIUS server. For example, a -# fully qualified domain name can be used here. -# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and -# 48 octets long. -#nas_identifier=ap.example.com - -# RADIUS authentication server -auth_server_addr=10.1.0.10 -#auth_server_port=1812 -auth_server_shared_secret=gv6URkSs - -# RADIUS accounting server -#acct_server_addr=127.0.0.1 -#acct_server_port=1813 -#acct_server_shared_secret=secret - -# Secondary RADIUS servers; to be used if primary one does not reply to -# RADIUS packets. These are optional and there can be more than one secondary -# server listed. -#auth_server_addr=127.0.0.2 -#auth_server_port=1812 -#auth_server_shared_secret=secret2 -# -#acct_server_addr=127.0.0.2 -#acct_server_port=1813 -#acct_server_shared_secret=secret2 - -# Retry interval for trying to return to the primary RADIUS server (in -# seconds). RADIUS client code will automatically try to use the next server -# when the current server is not replying to requests. If this interval is set, -# primary server will be retried after configured amount of time even if the -# currently used secondary server is still working. -#radius_retry_primary_interval=600 - - -# Interim accounting update interval -# If this is set (larger than 0) and acct_server is configured, hostapd will -# send interim accounting updates every N seconds. Note: if set, this overrides -# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this -# value should not be configured in hostapd.conf, if RADIUS server is used to -# control the interim interval. -# This value should not be less 600 (10 minutes) and must not be less than -# 60 (1 minute). -#radius_acct_interim_interval=600 - -# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN -# is used for the stations. This information is parsed from following RADIUS -# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), -# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value -# VLANID as a string). vlan_file option below must be configured if dynamic -# VLANs are used. Optionally, the local MAC ACL list (accept_mac_file) can be -# used to set static client MAC address to VLAN ID mapping. -# 0 = disabled (default) -# 1 = option; use default interface if RADIUS server does not include VLAN ID -# 2 = required; reject authentication if RADIUS server does not include VLAN ID -#dynamic_vlan=0 - -# VLAN interface list for dynamic VLAN mode is read from a separate text file. -# This list is used to map VLAN ID from the RADIUS server to a network -# interface. Each station is bound to one interface in the same way as with -# multiple BSSIDs or SSIDs. Each line in this text file is defining a new -# interface and the line must include VLAN ID and interface name separated by -# white space (space or tab). -#vlan_file=/etc/hostapd.vlan - -# Interface where 802.1q tagged packets should appear when a RADIUS server is -# used to determine which VLAN a station is on. hostapd creates a bridge for -# each VLAN. Then hostapd adds a VLAN interface (associated with the interface -# indicated by 'vlan_tagged_interface') and the appropriate wireless interface -# to the bridge. -#vlan_tagged_interface=eth0 - - -##### RADIUS authentication server configuration ############################## - -# hostapd can be used as a RADIUS authentication server for other hosts. This -# requires that the integrated EAP server is also enabled and both -# authentication services are sharing the same configuration. - -# File name of the RADIUS clients configuration for the RADIUS server. If this -# commented out, RADIUS server is disabled. -#radius_server_clients=/etc/hostapd.radius_clients - -# The UDP port number for the RADIUS authentication server -#radius_server_auth_port=1812 - -# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) -#radius_server_ipv6=1 - - -##### WPA/IEEE 802.11i configuration ########################################## - -# Enable WPA. Setting this variable configures the AP to require WPA (either -# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either -# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. -# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), -# RADIUS authentication server must be configured, and WPA-EAP must be included -# in wpa_key_mgmt. -# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) -# and/or WPA2 (full IEEE 802.11i/RSN): -# bit0 = WPA -# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) -#wpa=1 - -# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit -# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase -# (8..63 characters) that will be converted to PSK. This conversion uses SSID -# so the PSK changes when ASCII passphrase is used and the SSID is changed. -# wpa_psk (dot11RSNAConfigPSKValue) -# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) -#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -#wpa_passphrase=secret passphrase - -# Optionally, WPA PSKs can be read from a separate text file (containing list -# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. -# Use absolute path name to make sure that the files can be read on SIGHUP -# configuration reloads. -#wpa_psk_file=/etc/hostapd.wpa_psk - -# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The -# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be -# added to enable SHA256-based stronger algorithms. -# (dot11RSNAConfigAuthenticationSuitesTable) -#wpa_key_mgmt=WPA-PSK WPA-EAP - -# Set of accepted cipher suites (encryption algorithms) for pairwise keys -# (unicast packets). This is a space separated list of algorithms: -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] -# Group cipher suite (encryption algorithm for broadcast and multicast frames) -# is automatically selected based on this configuration. If only CCMP is -# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, -# TKIP will be used as the group cipher. -# (dot11RSNAConfigPairwiseCiphersTable) -# Pairwise cipher for WPA (v1) (default: TKIP) -#wpa_pairwise=TKIP CCMP -# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) -#rsn_pairwise=CCMP - -# Time interval for rekeying GTK (broadcast/multicast encryption keys) in -# seconds. (dot11RSNAConfigGroupRekeyTime) -#wpa_group_rekey=600 - -# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. -# (dot11RSNAConfigGroupRekeyStrict) -#wpa_strict_rekey=1 - -# Time interval for rekeying GMK (master key used internally to generate GTKs -# (in seconds). -#wpa_gmk_rekey=86400 - -# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of -# PTK to mitigate some attacks against TKIP deficiencies. -#wpa_ptk_rekey=600 - -# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up -# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN -# authentication and key handshake before actually associating with a new AP. -# (dot11RSNAPreauthenticationEnabled) -#rsn_preauth=1 -# -# Space separated list of interfaces from which pre-authentication frames are -# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all -# interface that are used for connections to other APs. This could include -# wired interfaces and WDS links. The normal wireless data interface towards -# associated stations (e.g., wlan0) should not be added, since -# pre-authentication is only used with APs other than the currently associated -# one. -#rsn_preauth_interfaces=eth0 - -# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is -# allowed. This is only used with RSN/WPA2. -# 0 = disabled (default) -# 1 = enabled -#peerkey=1 - -# ieee80211w: Whether management frame protection (MFP) is enabled -# 0 = disabled (default) -# 1 = optional -# 2 = required -#ieee80211w=0 - -# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) -# (maximum time to wait for a SA Query response) -# dot11AssociationSAQueryMaximumTimeout, 1...4294967295 -#assoc_sa_query_max_timeout=1000 - -# Association SA Query retry timeout (in TU = 1.024 ms; for MFP) -# (time between two subsequent SA Query requests) -# dot11AssociationSAQueryRetryTimeout, 1...4294967295 -#assoc_sa_query_retry_timeout=201 - -# disable_pmksa_caching: Disable PMKSA caching -# This parameter can be used to disable caching of PMKSA created through EAP -# authentication. RSN preauthentication may still end up using PMKSA caching if -# it is enabled (rsn_preauth=1). -# 0 = PMKSA caching enabled (default) -# 1 = PMKSA caching disabled -#disable_pmksa_caching=0 - -# okc: Opportunistic Key Caching (aka Proactive Key Caching) -# Allow PMK cache to be shared opportunistically among configured interfaces -# and BSSes (i.e., all configurations within a single hostapd process). -# 0 = disabled (default) -# 1 = enabled -#okc=1 - - -##### IEEE 802.11r configuration ############################################## - -# Mobility Domain identifier (dot11FTMobilityDomainID, MDID) -# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the -# same SSID) between which a STA can use Fast BSS Transition. -# 2-octet identifier as a hex string. -#mobility_domain=a1b2 - -# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID) -# 1 to 48 octet identifier. -# This is configured with nas_identifier (see RADIUS client section above). - -# Default lifetime of the PMK-RO in minutes; range 1..65535 -# (dot11FTR0KeyLifetime) -#r0_key_lifetime=10000 - -# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) -# 6-octet identifier as a hex string. -#r1_key_holder=000102030405 - -# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) -# (dot11FTReassociationDeadline) -#reassociation_deadline=1000 - -# List of R0KHs in the same Mobility Domain -# format: <128-bit key as hex string> -# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC -# address when requesting PMK-R1 key from the R0KH that the STA used during the -# Initial Mobility Domain Association. -#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f -#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff -# And so on.. One line per R0KH. - -# List of R1KHs in the same Mobility Domain -# format: <128-bit key as hex string> -# This list is used to map R1KH-ID to a destination MAC address when sending -# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD -# that can request PMK-R1 keys. -#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f -#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff -# And so on.. One line per R1KH. - -# Whether PMK-R1 push is enabled at R0KH -# 0 = do not push PMK-R1 to all configured R1KHs (default) -# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived -#pmk_r1_push=1 - -##### Neighbor table ########################################################## -# Maximum number of entries kept in AP table (either for neigbor table or for -# detecting Overlapping Legacy BSS Condition). The oldest entry will be -# removed when adding a new entry that would make the list grow over this -# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is -# enabled, so this field should not be set to 0 when using IEEE 802.11g. -# default: 255 -#ap_table_max_size=255 - -# Number of seconds of no frames received after which entries may be deleted -# from the AP table. Since passive scanning is not usually performed frequently -# this should not be set to very small value. In addition, there is no -# guarantee that every scan cycle will receive beacon frames from the -# neighboring APs. -# default: 60 -#ap_table_expiration_time=3600 - - -##### Wi-Fi Protected Setup (WPS) ############################################# - -# WPS state -# 0 = WPS disabled (default) -# 1 = WPS enabled, not configured -# 2 = WPS enabled, configured -#wps_state=2 - -# AP can be configured into a locked state where new WPS Registrar are not -# accepted, but previously authorized Registrars (including the internal one) -# can continue to add new Enrollees. -#ap_setup_locked=1 - -# Universally Unique IDentifier (UUID; see RFC 4122) of the device -# This value is used as the UUID for the internal WPS Registrar. If the AP -# is also using UPnP, this value should be set to the device's UPnP UUID. -# If not configured, UUID will be generated based on the local MAC address. -#uuid=12345678-9abc-def0-1234-56789abcdef0 - -# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs -# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the -# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of -# per-device PSKs is recommended as the more secure option (i.e., make sure to -# set wpa_psk_file when using WPS with WPA-PSK). - -# When an Enrollee requests access to the network with PIN method, the Enrollee -# PIN will need to be entered for the Registrar. PIN request notifications are -# sent to hostapd ctrl_iface monitor. In addition, they can be written to a -# text file that could be used, e.g., to populate the AP administration UI with -# pending PIN requests. If the following variable is set, the PIN requests will -# be written to the configured file. -#wps_pin_requests=/var/run/hostapd_wps_pin_requests - -# Device Name -# User-friendly description of device; up to 32 octets encoded in UTF-8 -#device_name=Wireless AP - -# Manufacturer -# The manufacturer of the device (up to 64 ASCII characters) -#manufacturer=Company - -# Model Name -# Model of the device (up to 32 ASCII characters) -#model_name=WAP - -# Model Number -# Additional device description (up to 32 ASCII characters) -#model_number=123 - -# Serial Number -# Serial number of the device (up to 32 characters) -#serial_number=12345 - -# Primary Device Type -# Used format: -- -# categ = Category as an integer value -# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for -# default WPS OUI -# subcateg = OUI-specific Sub Category as an integer value -# Examples: -# 1-0050F204-1 (Computer / PC) -# 1-0050F204-2 (Computer / Server) -# 5-0050F204-1 (Storage / NAS) -# 6-0050F204-1 (Network Infrastructure / AP) -#device_type=6-0050F204-1 - -# OS Version -# 4-octet operating system version number (hex string) -#os_version=01020300 - -# Config Methods -# List of the supported configuration methods -# Available methods: usba ethernet label display ext_nfc_token int_nfc_token -# nfc_interface push_button keypad virtual_display physical_display -# virtual_push_button physical_push_button -#config_methods=label virtual_display virtual_push_button keypad - -# WPS capability discovery workaround for PBC with Windows 7 -# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting -# as a Registrar and using M1 from the AP. The config methods attribute in that -# message is supposed to indicate only the configuration method supported by -# the AP in Enrollee role, i.e., to add an external Registrar. For that case, -# PBC shall not be used and as such, the PushButton config method is removed -# from M1 by default. If pbc_in_m1=1 is included in the configuration file, -# the PushButton config method is left in M1 (if included in config_methods -# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label -# in the AP). -#pbc_in_m1=1 - -# Static access point PIN for initial configuration and adding Registrars -# If not set, hostapd will not allow external WPS Registrars to control the -# access point. The AP PIN can also be set at runtime with hostapd_cli -# wps_ap_pin command. Use of temporary (enabled by user action) and random -# AP PIN is much more secure than configuring a static AP PIN here. As such, -# use of the ap_pin parameter is not recommended if the AP device has means for -# displaying a random PIN. -#ap_pin=12345670 - -# Skip building of automatic WPS credential -# This can be used to allow the automatically generated Credential attribute to -# be replaced with pre-configured Credential(s). -#skip_cred_build=1 - -# Additional Credential attribute(s) -# This option can be used to add pre-configured Credential attributes into M8 -# message when acting as a Registrar. If skip_cred_build=1, this data will also -# be able to override the Credential attribute that would have otherwise been -# automatically generated based on network configuration. This configuration -# option points to an external file that much contain the WPS Credential -# attribute(s) as binary data. -#extra_cred=hostapd.cred - -# Credential processing -# 0 = process received credentials internally (default) -# 1 = do not process received credentials; just pass them over ctrl_iface to -# external program(s) -# 2 = process received credentials internally and pass them over ctrl_iface -# to external program(s) -# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and -# extra_cred be used to provide the Credential data for Enrollees. -# -# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file -# both for Credential processing and for marking AP Setup Locked based on -# validation failures of AP PIN. An external program is responsible on updating -# the configuration appropriately in this case. -#wps_cred_processing=0 - -# AP Settings Attributes for M7 -# By default, hostapd generates the AP Settings Attributes for M7 based on the -# current configuration. It is possible to override this by providing a file -# with pre-configured attributes. This is similar to extra_cred file format, -# but the AP Settings attributes are not encapsulated in a Credential -# attribute. -#ap_settings=hostapd.ap_settings - -# WPS UPnP interface -# If set, support for external Registrars is enabled. -#upnp_iface=br0 - -# Friendly Name (required for UPnP) -# Short description for end use. Should be less than 64 characters. -#friendly_name=WPS Access Point - -# Manufacturer URL (optional for UPnP) -#manufacturer_url=http://www.example.com/ - -# Model Description (recommended for UPnP) -# Long description for end user. Should be less than 128 characters. -#model_description=Wireless Access Point - -# Model URL (optional for UPnP) -#model_url=http://www.example.com/model/ - -# Universal Product Code (optional for UPnP) -# 12-digit, all-numeric code that identifies the consumer package. -#upc=123456789012 - -##### Wi-Fi Direct (P2P) ###################################################### - -# Enable P2P Device management -#manage_p2p=1 - -# Allow cross connection -#allow_cross_connection=1 - -#### TDLS (IEEE 802.11z-2010) ################################################# - -# Prohibit use of TDLS in this BSS -#tdls_prohibit=1 - -# Prohibit use of TDLS Channel Switching in this BSS -#tdls_prohibit_chan_switch=1 - -##### IEEE 802.11v-2011 ####################################################### - -# Time advertisement -# 0 = disabled (default) -# 2 = UTC time at which the TSF timer is 0 -#time_advertisement=2 - -# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004: -# stdoffset[dst[offset][,start[/time],end[/time]]] -#time_zone=EST5 - -##### IEEE 802.11u-2011 ####################################################### - -# Enable Interworking service -#interworking=1 - -# Access Network Type -# 0 = Private network -# 1 = Private network with guest access -# 2 = Chargeable public network -# 3 = Free public network -# 4 = Personal device network -# 5 = Emergency services only network -# 14 = Test or experimental -# 15 = Wildcard -#access_network_type=0 - -# Whether the network provides connectivity to the Internet -# 0 = Unspecified -# 1 = Network provides connectivity to the Internet -#internet=1 - -# Additional Step Required for Access -# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if -# RSN is used. -#asra=0 - -# Emergency services reachable -#esr=0 - -# Unauthenticated emergency service accessible -#uesa=0 - -# Venue Info (optional) -# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34. -# Example values (group,type): -# 0,0 = Unspecified -# 1,7 = Convention Center -# 1,13 = Coffee Shop -# 2,0 = Unspecified Business -# 7,1 Private Residence -#venue_group=7 -#venue_type=1 - -# Homogeneous ESS identifier (optional; dot11HESSID) -# If set, this shall be identifical to one of the BSSIDs in the homogeneous -# ESS and this shall be set to the same value across all BSSs in homogeneous -# ESS. -#hessid=02:03:04:05:06:07 - -# Roaming Consortium List -# Arbitrary number of Roaming Consortium OIs can be configured with each line -# adding a new OI to the list. The first three entries are available through -# Beacon and Probe Response frames. Any additional entry will be available only -# through ANQP queries. Each OI is between 3 and 15 octets and is configured a -# a hexstring. -#roaming_consortium=021122 -#roaming_consortium=2233445566 - -##### Multiple BSSID support ################################################## -# -# Above configuration is using the default interface (wlan#, or multi-SSID VLAN -# interfaces). Other BSSIDs can be added by using separator 'bss' with -# default interface name to be allocated for the data packets of the new BSS. -# -# hostapd will generate BSSID mask based on the BSSIDs that are -# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is -# not the case, the MAC address of the radio must be changed before starting -# hostapd (ifconfig wlan0 hw ether ). If a BSSID is configured for -# every secondary BSS, this limitation is not applied at hostapd and other -# masks may be used if the driver supports them (e.g., swap the locally -# administered bit) -# -# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is -# specified using the 'bssid' parameter. -# If an explicit BSSID is specified, it must be chosen such that it: -# - results in a valid MASK that covers it and the dev_addr -# - is not the same as the MAC address of the radio -# - is not the same as any other explicitly specified BSSID -# -# Please note that hostapd uses some of the values configured for the first BSS -# as the defaults for the following BSSes. However, it is recommended that all -# BSSes include explicit configuration of all relevant configuration items. -# -#bss=wlan0_0 -#ssid=test2 -# most of the above items can be used here (apart from radio interface specific -# items, like channel) - -#bss=wlan0_1 -#bssid=00:13:10:95:fe:0b -# ... diff --git a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat deleted file mode 100644 index b55e0457c..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::killall wpa_supplicant -dave::killall wpa_supplicant -moon::killall hostapd -alice::killall radiusd -alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat deleted file mode 100644 index 4dbff64a3..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -moon::hostapd -B /etc/hostapd/hostapd.conf -carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 -carol::sleep 4 -dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 -dave::sleep 4 diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/tnc/tnccs-11-supplicant/test.conf deleted file mode 100644 index 2069e4aa5..000000000 --- a/testing/tests/tnc/tnccs-11-supplicant/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS= - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql new file mode 100644 index 000000000..548c101e4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/collector.sql @@ -0,0 +1,39 @@ +/* SW Identifiers */ + +INSERT INTO sw_identifiers ( + name, package, version, source, installed +) VALUES ( + 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libutempter0-1.1.5', 'libutempter0', '1.1.5', 1, 0 +); + +INSERT INTO sw_identifiers ( + name, package, version, source, installed +) VALUES ( + 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-libevent-2.0-5-2.0.20', 'libevent-2.0-5', '2.0.20', 1, 0 +); + +INSERT INTO sw_identifiers ( + name, package, version, source, installed +) VALUES ( + 'strongswan.org__Debian_DEBIAN_VERSION-x86_64-tmux-2.2', 'tmux', '2.2', 1, 0 +); + +/* SW Events */ + +INSERT INTO sw_events ( + eid, sw_id, action +) VALUES ( + 2, 1, 2 +); + +INSERT INTO sw_events ( + eid, sw_id, action +) VALUES ( + 2, 2, 2 +); + +INSERT INTO sw_events ( + eid, sw_id, action +) VALUES ( + 2, 3, 2 +); diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat index c0049d7fd..5d0602c15 100644 --- a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat @@ -1,6 +1,7 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 +carol::rm /etc/pts/collector.sql alice::systemctl stop strongswan-swanctl alice::systemctl stop apache2 alice::rm /etc/swanctl/rsa/aaaKey.pem diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt deleted file mode 100644 index 8bf1543d2..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The Dummy IMC and IMV from the - -TNC@FHH project are used which communicate over a proprietary protocol. -

-carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. -

diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat deleted file mode 100644 index bf0732604..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES -dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES -dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf deleted file mode 100644 index aa4934fb1..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - multiple_authentication = no - - syslog { - daemon { - tnc = 3 - imc = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf deleted file mode 100644 index 0f266dd93..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.100 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = carol@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = carol@strongswan.org - secret = "Ar3etTnp" - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config deleted file mode 100644 index 3ef780933..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 8fc1c8729..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - - multiple_authentication = no - syslog { - daemon { - tnc = 3 - imc = 2 - } - } -} - -libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf deleted file mode 100644 index 989ab88c7..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - home { - local_addrs = 192.168.0.200 - remote_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = dave@strongswan.org - } - remote { - auth = eap-ttls - id = moon.strongswan.org - } - children { - home { - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties deleted file mode 100644 index b1c694107..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config deleted file mode 100644 index 8eee8068a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon deleted file mode 100755 index bf3a6891a..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon +++ /dev/null @@ -1,158 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: charon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: strongSwan charon IKE daemon -# Description: with swanctl the strongSwan charon daemon must be -# running in the background -### END INIT INFO - -# Author: Andreas Steffen -# -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin -DESC="strongSwan charon IKE daemon" -NAME=charon -DAEMON=/usr/local/libexec/ipsec/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/charon - -export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4732fbd4b..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown - - multiple_authentication = no - - syslog { - daemon { - tnc = 3 - imv = 2 - } - } - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100644 index 1238c1a91..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,64 +0,0 @@ -connections { - - rw-allow { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = allow - } - children { - rw-allow { - local_ts = 10.1.0.0/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } - - rw-isolate { - local_addrs = 192.168.0.1 - - local { - auth = eap-ttls - id = moon.strongswan.org - } - remote { - auth = eap-ttls - id = *@strongswan.org - groups = isolate - } - children { - rw-isolate { - local_ts = 10.1.0.16/28 - - updown = /usr/local/libexec/ipsec/_updown iptables - esp_proposals = aes128gcm16-modp3072 - } - } - version = 2 - send_certreq = no - proposals = aes128-sha256-modp3072 - } -} - -secrets { - - eap-carol { - id = carol@strongswan.org - secret = "Ar3etTnp" - } - eap-dave { - id = dave@strongswan.org - secret = "W7R0g3do" - } -} diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy deleted file mode 100644 index d00491fd7..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy deleted file mode 100644 index d8215dd3c..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy +++ /dev/null @@ -1,40 +0,0 @@ -#FTP - File Transfer Protocol -TCP 20 = whatever -TCP 21 = close - -#SSH - Secure Shell -TCP 22 = whatever - -#Telnet -TCP 23 = close - -#E-Mail -# -#SMTP - Simple Mail Transfer Protocol -TCP 25 = close -TCP 587 = close -#POP3 - Post Office Protocol version 3 -TCP 110 = close -TCP 995 = close - -#DNS - Domain Name System -UDP 53 = close -TCP 53 = close - -#BOOTP/DHCP - Bootstrap Protocol / -#Dynamic Host Configuration Protocol -UDP 67 = close -#UDP 68 = open -UDP 68 = whatever - -#www - World Wide Web -#HTTP - Hypertext Transfer Protocol -TCP 80 = close -#HTTPS - Hypertext Transfer Protocol Secure -TCP 443 = close - -#examples -TCP 8080 = close -TCP 5223 = whatever -UDP 4444 = close -UDP 631 = whatever diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties deleted file mode 100644 index 122d798b3..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties +++ /dev/null @@ -1,15 +0,0 @@ -# Set root logger level to DEBUG and its appenders to A1 and A2. -log4j.rootLogger=DEBUG, A1, A2 - -# A1 is set to be a ConsoleAppender. -log4j.appender.A1=org.apache.log4j.ConsoleAppender -log4j.appender.A1.layout=org.apache.log4j.PatternLayout -log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n - -# A2 is set to be a SyslogAppender -log4j.appender.A2=org.apache.log4j.net.SyslogAppender -log4j.appender.A2.Facility=DAEMON -log4j.appender.A2.SyslogHost=localhost -log4j.appender.A2.Threshold=DEBUG -log4j.appender.A2.layout=org.apache.log4j.PatternLayout -log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config deleted file mode 100644 index fa4324e38..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat deleted file mode 100644 index 199873ba1..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -carol::systemctl stop strongswan-swanctl -dave::systemctl stop strongswan-swanctl -moon::systemctl stop strongswan-swanctl -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat deleted file mode 100644 index 79340af29..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -carol::rm /etc/swanctl/rsa/* -dave::rm /etc/swanctl/rsa/* -carol::rm /etc/swanctl/x509/* -dave::rm /etc/swanctl/x509/* -moon::systemctl start strongswan-swanctl -carol::systemctl start strongswan-swanctl -dave::systemctl start strongswan-swanctl -moon::expect-connection rw-allow -carol::expect-connection home -carol::swanctl --initiate --child home 2> /dev/null -dave::expect-connection home -dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf deleted file mode 100644 index f6db73912..000000000 --- a/testing/tests/tnc/tnccs-20-fhh/test.conf +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= - -# charon controlled by swanctl -# -SWANCTL=1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf index 4075f75bd..cd5056e83 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf @@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default deleted file mode 100644 index 1dc8b5688..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default +++ /dev/null @@ -1 +0,0 @@ -Include sites-available/000-default.conf \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf index 4075f75bd..cd5056e83 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf @@ -9,13 +9,7 @@ WSGIPythonPath /var/www/tnc - - Require all granted - - - Order deny,allow - Allow from all - + Require all granted diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default deleted file mode 100644 index 1dc8b5688..000000000 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default +++ /dev/null @@ -1 +0,0 @@ -Include sites-available/000-default.conf \ No newline at end of file -- cgit v1.2.3