From db67c87db3c9089ea8d2e14f617bf3d9e2af261f Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Wed, 9 Jul 2008 21:02:41 +0000 Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.2.4) --- testing/INSTALL | 8 +- testing/Makefile.in | 20 +- testing/do-tests.in | 50 +++-- testing/hosts/alice/etc/ipsec.d/ipsec.sql | 4 + testing/hosts/alice/etc/strongswan.conf | 1 + testing/hosts/bob/etc/ipsec.d/ipsec.sql | 4 + testing/hosts/bob/etc/strongswan.conf | 1 + testing/hosts/carol/etc/ipsec.d/ipsec.sql | 4 + testing/hosts/carol/etc/strongswan.conf | 1 + testing/hosts/dave/etc/ipsec.d/ipsec.sql | 4 + testing/hosts/dave/etc/strongswan.conf | 1 + testing/hosts/default/etc/ipsec.d/tables.sql | 204 +++++++++++++++++++++ testing/hosts/moon/etc/ipsec.d/ipsec.sql | 4 + testing/hosts/moon/etc/strongswan.conf | 1 + testing/hosts/sun/etc/ipsec.d/ipsec.sql | 4 + testing/hosts/sun/etc/strongswan.conf | 1 + testing/hosts/venus/etc/ipsec.d/ipsec.sql | 4 + testing/hosts/venus/etc/strongswan.conf | 1 + .../certs/0e35060aed55a85aa8520815c166588fc35bcd93 | Bin 0 -> 965 bytes .../certs/1b260aa901f29db73635f568c34e27d1f1cb23ab | Bin 0 -> 959 bytes .../certs/394ceefaef48af8394d9a0e63d74cc56a4117a23 | Bin 0 -> 1062 bytes .../certs/430651fd670098ad72f02c4cc34a017f9931c88b | Bin 0 -> 1049 bytes .../certs/47a2450a79a68462c105747751a6526aa8a20277 | Bin 0 -> 1043 bytes .../certs/4f4b98c28a1d286274f529e75000cfbb02ce4c64 | Bin 0 -> 1039 bytes .../certs/53b5bf163ae90d54271288852c2ab062fb9e74e3 | Bin 0 -> 1061 bytes .../certs/7c6a448fb938e5c19ab75631f0d0cbb92b25f2a9 | Bin 0 -> 1049 bytes .../certs/7db109750703f47b822eb10cf205159f90fe3634 | Bin 0 -> 1119 bytes .../certs/8dcd0fcfbfdcfce2480a4f18b20007517df2091f | Bin 0 -> 965 bytes .../certs/8e9be7e9f0de2874707245ee200bfb971a646ba9 | Bin 0 -> 1059 bytes .../certs/9ff39ec266e309f2b53748a4fe0cfd3923955ff4 | Bin 0 -> 1095 bytes .../certs/a91bb369a86604673f42f25b3fc94422eb73afd5 | Bin 0 -> 1041 bytes .../certs/af19b02dcdc28a4e86d1657b656f0cac63b5474b | Bin 0 -> 1059 bytes .../certs/b15a2fbbd5613781df896d28f82e4b0893011530 | Bin 0 -> 1070 bytes .../certs/bb027269812f2cb0c1ba534c0016b7f33bdca83f | Bin 0 -> 1041 bytes .../certs/cedd2d5985ee0efde7acb2f788ed1a4237197d01 | Bin 0 -> 1062 bytes .../certs/e07015ca76fba1039b247ce96c214bb038539cc8 | Bin 0 -> 1058 bytes .../certs/e08213ec6a79e05c86a6f8a378eb4d5086352a7b | Bin 0 -> 1059 bytes .../certs/f2595dbd1ee26d9df0e8c5beae47875c68b97b4c | Bin 0 -> 1062 bytes .../0855c55d208f71747b88da0fabcce348be495ac0 | Bin 0 -> 1028 bytes .../29d8bec44f188d61072bad52bfaf6f8553342f15 | Bin 0 -> 1013 bytes .../91b2e4f8a1612a34c646fb8320aaf374cc78ab7b | Bin 0 -> 1072 bytes .../fc384911d10e35814a20c92642873925eada85c3 | Bin 0 -> 1132 bytes .../sales/3f24becda29cf44f0e4e89f894b925ab7e7a0aac | Bin 0 -> 1056 bytes .../sales/937fb1c8fa8bb3b169c63c8f77562592e44cfb32 | Bin 0 -> 1066 bytes .../sales/a4317f76f97afb3b6308c4b3496eb09d9efeed00 | Bin 0 -> 1025 bytes .../sales/fcc1991dae2d8444c841c386e1921c59882afcf2 | Bin 0 -> 1114 bytes testing/hosts/winnetou/etc/openssl/ecdsa/.rand | Bin 0 -> 1024 bytes testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber | 1 + .../hosts/winnetou/etc/openssl/ecdsa/crlnumber.old | 1 + testing/hosts/winnetou/etc/openssl/ecdsa/index.txt | 4 + .../winnetou/etc/openssl/ecdsa/index.txt.attr | 1 + .../winnetou/etc/openssl/ecdsa/index.txt.attr.old | 1 + .../hosts/winnetou/etc/openssl/ecdsa/index.txt.old | 3 + .../winnetou/etc/openssl/ecdsa/newcerts/01.pem | 20 ++ .../winnetou/etc/openssl/ecdsa/newcerts/02.pem | 18 ++ .../winnetou/etc/openssl/ecdsa/newcerts/03.pem | 19 ++ .../winnetou/etc/openssl/ecdsa/newcerts/04.pem | 18 ++ .../hosts/winnetou/etc/openssl/ecdsa/openssl.cnf | 184 +++++++++++++++++++ testing/hosts/winnetou/etc/openssl/ecdsa/serial | 1 + .../hosts/winnetou/etc/openssl/ecdsa/serial.old | 1 + .../etc/openssl/ecdsa/strongswan_ecCert.pem | 17 ++ .../etc/openssl/ecdsa/strongswan_ecKey.pem | 7 + testing/hosts/winnetou/etc/openssl/generate-crl | 5 +- testing/make-testing | 2 +- testing/scripts/build-umlhostfs | 7 +- testing/scripts/build-umlrootfs | 35 +++- testing/scripts/gstart-umls | 127 +++++++++++++ testing/scripts/kstart-umls | 4 +- testing/scripts/load-testconfig | 4 +- testing/scripts/restore-defaults | 4 +- testing/scripts/start-switches | 2 +- testing/scripts/start-umls | 8 +- testing/scripts/xstart-umls | 8 +- testing/start-testing | 2 +- testing/stop-testing | 2 +- testing/testing.conf | 25 ++- .../ike/rw-cert/hosts/dave/etc/strongswan.conf | 5 + .../ike/rw-cert/hosts/moon/etc/strongswan.conf | 5 + .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf | 5 + .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev1/alg-blowfish/evaltest.dat | 7 +- testing/tests/ikev1/alg-serpent/evaltest.dat | 7 +- testing/tests/ikev1/alg-sha2_256/evaltest.dat | 6 +- testing/tests/ikev1/alg-twofish/evaltest.dat | 6 +- .../tests/ikev1/esp-alg-aesxcbc/description.txt | 4 + testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat | 9 + .../esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf | 24 +++ .../esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf | 24 +++ testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat | 2 + testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat | 5 + testing/tests/ikev1/esp-alg-aesxcbc/test.conf | 22 +++ .../tests/ikev1/esp-alg-camellia/description.txt | 4 + testing/tests/ikev1/esp-alg-camellia/evaltest.dat | 8 + .../esp-alg-camellia/hosts/carol/etc/ipsec.conf | 24 +++ .../esp-alg-camellia/hosts/moon/etc/ipsec.conf | 24 +++ testing/tests/ikev1/esp-alg-camellia/posttest.dat | 2 + testing/tests/ikev1/esp-alg-camellia/pretest.dat | 5 + testing/tests/ikev1/esp-alg-camellia/test.conf | 22 +++ testing/tests/ikev1/req-pkcs10/pretest.dat | 1 + testing/tests/ikev1/xauth-rsa-fail/pretest.dat | 1 + testing/tests/ikev2/alg-aes-xcbc/description.txt | 4 + testing/tests/ikev2/alg-aes-xcbc/evaltest.dat | 9 + .../ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf | 25 +++ .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf | 24 +++ .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/alg-aes-xcbc/posttest.dat | 4 + testing/tests/ikev2/alg-aes-xcbc/pretest.dat | 6 + testing/tests/ikev2/alg-aes-xcbc/test.conf | 21 +++ testing/tests/ikev2/compress/description.txt | 3 + testing/tests/ikev2/compress/evaltest.dat | 10 + .../ikev2/compress/hosts/carol/etc/ipsec.conf | 23 +++ .../ikev2/compress/hosts/carol/etc/strongswan.conf | 5 + .../tests/ikev2/compress/hosts/moon/etc/ipsec.conf | 23 +++ .../ikev2/compress/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/compress/posttest.dat | 2 + testing/tests/ikev2/compress/pretest.dat | 5 + testing/tests/ikev2/compress/test.conf | 22 +++ .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/ipsec.conf | 1 - .../hosts/moon/etc/strongswan.conf | 5 + .../config-payload/hosts/carol/etc/strongswan.conf | 5 + .../config-payload/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/config-payload/hosts/moon/etc/ipsec.conf | 1 - .../config-payload/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/crl-from-cache/evaltest.dat | 14 +- .../crl-from-cache/hosts/carol/etc/strongswan.conf | 5 + .../crl-from-cache/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/crl-ldap/evaltest.dat | 16 +- .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/crl-revoked/evaltest.dat | 5 +- .../crl-revoked/hosts/carol/etc/strongswan.conf | 5 + .../crl-revoked/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/crl-to-cache/evaltest.dat | 4 +- .../crl-to-cache/hosts/carol/etc/strongswan.conf | 5 + .../crl-to-cache/hosts/moon/etc/strongswan.conf | 5 + .../default-keys/hosts/carol/etc/strongswan.conf | 5 + .../default-keys/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/default-keys/pretest.dat | 2 +- .../double-nat-net/hosts/alice/etc/strongswan.conf | 5 + .../double-nat-net/hosts/bob/etc/strongswan.conf | 5 + .../double-nat/hosts/alice/etc/strongswan.conf | 5 + .../ikev2/double-nat/hosts/bob/etc/strongswan.conf | 5 + .../dpd-clear/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf | 5 + .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf | 5 + .../dpd-restart/hosts/carol/etc/strongswan.conf | 5 + .../dpd-restart/hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/esp-alg-aes-ccm/description.txt | 4 + testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat | 5 + .../esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf | 25 +++ .../hosts/carol/etc/strongswan.conf | 5 + .../esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf | 24 +++ .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat | 4 + testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat | 6 + testing/tests/ikev2/esp-alg-aes-ccm/test.conf | 21 +++ .../tests/ikev2/esp-alg-aes-gcm/description.txt | 4 + testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat | 5 + .../esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf | 25 +++ .../hosts/carol/etc/strongswan.conf | 5 + .../esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf | 24 +++ .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat | 4 + testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat | 6 + testing/tests/ikev2/esp-alg-aes-gcm/test.conf | 21 +++ .../tests/ikev2/esp-alg-aesxcbc/description.txt | 4 - testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat | 5 - .../esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf | 25 --- .../esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf | 24 --- testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat | 4 - testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat | 6 - testing/tests/ikev2/esp-alg-aesxcbc/test.conf | 21 --- .../hosts/alice/etc/strongswan.conf | 5 + .../force-udp-encaps/hosts/sun/etc/strongswan.conf | 5 + .../host2host-cert/hosts/moon/etc/strongswan.conf | 5 + .../host2host-cert/hosts/sun/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/sun/etc/strongswan.conf | 5 + .../tests/ikev2/host2host-transport/evaltest.dat | 2 +- .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev2/ip-pool-db/description.txt | 10 + testing/tests/ikev2/ip-pool-db/evaltest.dat | 26 +++ .../ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf | 24 +++ .../ip-pool-db/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf | 24 +++ .../ip-pool-db/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf | 23 +++ .../ip-pool-db/hosts/moon/etc/strongswan.conf | 10 + testing/tests/ikev2/ip-pool-db/posttest.dat | 8 + testing/tests/ikev2/ip-pool-db/pretest.dat | 13 ++ testing/tests/ikev2/ip-pool-db/test.conf | 21 +++ testing/tests/ikev2/ip-pool-wish/description.txt | 11 ++ testing/tests/ikev2/ip-pool-wish/evaltest.dat | 23 +++ .../ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf | 24 +++ .../ip-pool-wish/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf | 24 +++ .../ip-pool-wish/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf | 23 +++ .../ip-pool-wish/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/ip-pool-wish/posttest.dat | 6 + testing/tests/ikev2/ip-pool-wish/pretest.dat | 10 + testing/tests/ikev2/ip-pool-wish/test.conf | 21 +++ testing/tests/ikev2/ip-pool/description.txt | 10 + testing/tests/ikev2/ip-pool/evaltest.dat | 23 +++ .../tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf | 24 +++ .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf | 5 + .../tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf | 24 +++ .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf | 5 + .../tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf | 23 +++ .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/ip-pool/posttest.dat | 6 + testing/tests/ikev2/ip-pool/pretest.dat | 10 + testing/tests/ikev2/ip-pool/test.conf | 21 +++ testing/tests/ikev2/mobike-nat/evaltest.dat | 6 +- .../ikev2/mobike-nat/hosts/alice/etc/ipsec.conf | 2 +- .../mobike-nat/hosts/alice/etc/strongswan.conf | 5 + .../ikev2/mobike-nat/hosts/sun/etc/ipsec.conf | 2 +- .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev2/mobike-nat/test.conf | 2 +- testing/tests/ikev2/mobike-virtual-ip/evaltest.dat | 6 +- .../mobike-virtual-ip/hosts/alice/etc/ipsec.conf | 2 +- .../hosts/alice/etc/strongswan.conf | 5 + .../mobike-virtual-ip/hosts/sun/etc/ipsec.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev2/mobike-virtual-ip/test.conf | 2 +- testing/tests/ikev2/mobike/evaltest.dat | 6 +- .../ikev2/mobike/hosts/alice/etc/strongswan.conf | 5 + .../ikev2/mobike/hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev2/mobike/test.conf | 2 +- .../tests/ikev2/multi-level-ca-ldap/evaltest.dat | 15 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../ikev2/multi-level-ca-revoked/evaltest.dat | 2 - .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/moon/etc/ipsec.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/multi-level-ca/evaltest.dat | 8 + .../multi-level-ca/hosts/carol/etc/strongswan.conf | 5 + .../multi-level-ca/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf | 1 - .../multi-level-ca/hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/nat-double-snat/description.txt | 6 - testing/tests/ikev2/nat-double-snat/evaltest.dat | 5 - .../nat-double-snat/hosts/alice/etc/ipsec.conf | 16 -- .../hosts/alice/etc/ipsec.d/certs/bobCert.pem | 25 --- .../ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf | 20 -- .../hosts/bob/etc/ipsec.d/certs/aliceCert.pem | 25 --- testing/tests/ikev2/nat-double-snat/posttest.dat | 8 - testing/tests/ikev2/nat-double-snat/pretest.dat | 11 -- testing/tests/ikev2/nat-double-snat/test.conf | 21 --- .../nat-one-rw/hosts/alice/etc/strongswan.conf | 5 + .../ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev2/nat-pf/description.txt | 4 - testing/tests/ikev2/nat-pf/evaltest.dat | 5 - .../tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf | 19 -- .../hosts/alice/etc/ipsec.d/certs/carolCert.pem | 25 --- .../tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf | 17 -- .../hosts/carol/etc/ipsec.d/certs/aliceCert.pem | 25 --- testing/tests/ikev2/nat-pf/posttest.dat | 5 - testing/tests/ikev2/nat-pf/pretest.dat | 7 - testing/tests/ikev2/nat-pf/test.conf | 21 --- .../nat-two-rw-psk/hosts/alice/etc/strongswan.conf | 5 + .../nat-two-rw-psk/hosts/sun/etc/strongswan.conf | 5 + .../nat-two-rw-psk/hosts/venus/etc/strongswan.conf | 5 + .../nat-two-rw/hosts/alice/etc/strongswan.conf | 5 + .../ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf | 5 + .../nat-two-rw/hosts/venus/etc/strongswan.conf | 5 + .../net2net-cert/hosts/moon/etc/strongswan.conf | 5 + .../net2net-cert/hosts/sun/etc/strongswan.conf | 5 + .../net2net-psk/hosts/moon/etc/strongswan.conf | 5 + .../net2net-psk/hosts/sun/etc/strongswan.conf | 5 + .../net2net-route/hosts/moon/etc/strongswan.conf | 5 + .../net2net-route/hosts/sun/etc/strongswan.conf | 5 + .../net2net-start/hosts/moon/etc/strongswan.conf | 5 + .../net2net-start/hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev2/ocsp-local-cert/evaltest.dat | 12 +- .../hosts/carol/etc/strongswan.conf | 5 + .../ocsp-local-cert/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/ocsp-multi-level/evaltest.dat | 6 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/ocsp-no-signer-cert/evaltest.dat | 7 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/ocsp-no-signer-cert/posttest.dat | 1 + .../tests/ikev2/ocsp-no-signer-cert/pretest.dat | 1 + testing/tests/ikev2/ocsp-revoked/evaltest.dat | 7 +- .../ocsp-revoked/hosts/carol/etc/strongswan.conf | 5 + .../ocsp-revoked/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/ocsp-root-cert/evaltest.dat | 12 +- .../ocsp-root-cert/hosts/carol/etc/strongswan.conf | 5 + .../ocsp-root-cert/hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/ocsp-signer-cert/description.txt | 2 +- testing/tests/ikev2/ocsp-signer-cert/evaltest.dat | 17 +- .../ocsp-signer-cert/hosts/carol/etc/ipsec.conf | 5 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat | 5 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/ocsp-timeouts-good/evaltest.dat | 16 +- .../ocsp-timeouts-good/hosts/carol/etc/ipsec.conf | 3 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/ocsp-timeouts-unknown/evaltest.dat | 5 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/ocsp-untrusted-cert/evaltest.dat | 8 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/ocsp-untrusted-cert/posttest.dat | 1 + .../tests/ikev2/ocsp-untrusted-cert/pretest.dat | 1 + .../protoport-dual/hosts/carol/etc/strongswan.conf | 5 + .../protoport-dual/hosts/moon/etc/strongswan.conf | 5 + .../hosts/carol/etc/strongswan.conf | 5 + .../protoport-route/hosts/moon/etc/strongswan.conf | 5 + .../reauth-early/hosts/carol/etc/strongswan.conf | 5 + .../reauth-early/hosts/moon/etc/strongswan.conf | 5 + .../reauth-late/hosts/carol/etc/strongswan.conf | 5 + .../reauth-late/hosts/moon/etc/strongswan.conf | 5 + .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf | 5 + .../rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf | 1 - .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf | 1 + .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/rw-eap-md5-rsa/description.txt | 7 + testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat | 10 + .../rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf | 22 +++ .../rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets | 3 + .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf | 25 +++ .../rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets | 5 + .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat | 4 + testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat | 7 + testing/tests/ikev2/rw-eap-md5-rsa/test.conf | 21 +++ .../rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf | 1 - .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf | 1 + .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/rw-hash-and-url/description.txt | 10 + testing/tests/ikev2/rw-hash-and-url/evaltest.dat | 14 ++ .../rw-hash-and-url/hosts/carol/etc/ipsec.conf | 28 +++ .../hosts/carol/etc/strongswan.conf | 6 + .../rw-hash-and-url/hosts/dave/etc/ipsec.conf | 28 +++ .../rw-hash-and-url/hosts/dave/etc/strongswan.conf | 6 + .../rw-hash-and-url/hosts/moon/etc/ipsec.conf | 27 +++ .../rw-hash-and-url/hosts/moon/etc/strongswan.conf | 6 + testing/tests/ikev2/rw-hash-and-url/posttest.dat | 6 + testing/tests/ikev2/rw-hash-and-url/pretest.dat | 9 + testing/tests/ikev2/rw-hash-and-url/test.conf | 21 +++ .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf | 5 + .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 5 + .../rw-psk-no-idr/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-no-idr/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-no-idr/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat | 2 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat | 2 +- .../rw-psk-rsa-split/hosts/carol/etc/ipsec.conf | 1 + .../hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-rsa-split/hosts/dave/etc/ipsec.conf | 1 + .../hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-rsa-split/hosts/moon/etc/ipsec.conf | 1 + .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/two-certs/evaltest.dat | 7 +- .../two-certs/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/two-certs/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/two-certs/hosts/moon/etc/ipsec.conf | 1 - .../ikev2/two-certs/hosts/moon/etc/strongswan.conf | 5 + .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/dave/etc/strongswan.conf | 5 + .../hosts/moon/etc/strongswan.conf | 5 + .../virtual-ip/hosts/carol/etc/strongswan.conf | 5 + .../virtual-ip/hosts/dave/etc/strongswan.conf | 5 + .../virtual-ip/hosts/moon/etc/strongswan.conf | 5 + .../wildcards/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/wildcards/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/wildcards/hosts/moon/etc/strongswan.conf | 5 + .../host2host-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../host2host-ikev2/hosts/sun/etc/strongswan.conf | 5 + .../net2net-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../net2net-ikev2/hosts/sun/etc/strongswan.conf | 5 + .../tests/ipv6/net2net-ipv4-ikev2/description.txt | 4 + testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat | 5 + .../hosts/moon/etc/init.d/iptables | 107 +++++++++++ .../net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf | 27 +++ .../hosts/moon/etc/strongswan.conf | 5 + .../hosts/sun/etc/init.d/iptables | 107 +++++++++++ .../net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf | 27 +++ .../hosts/sun/etc/strongswan.conf | 5 + testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat | 2 + testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat | 6 + testing/tests/ipv6/net2net-ipv4-ikev2/test.conf | 21 +++ .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf | 5 + .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf | 5 + .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf | 5 + .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf | 5 + .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ipv6/transport-ikev2/evaltest.dat | 2 +- .../transport-ikev2/hosts/moon/etc/strongswan.conf | 5 + .../transport-ikev2/hosts/sun/etc/strongswan.conf | 5 + testing/tests/openssl/ecdsa-certs/description.txt | 11 ++ testing/tests/openssl/ecdsa-certs/evaltest.dat | 14 ++ .../openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf | 24 +++ .../carol/etc/ipsec.d/cacerts/strongswanCert.pem | 17 ++ .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 18 ++ .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 8 + .../ecdsa-certs/hosts/carol/etc/ipsec.secrets | 3 + .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 5 + .../openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf | 24 +++ .../dave/etc/ipsec.d/cacerts/strongswanCert.pem | 17 ++ .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 19 ++ .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 6 + .../ecdsa-certs/hosts/dave/etc/ipsec.secrets | 3 + .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 5 + .../openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf | 23 +++ .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 17 ++ .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 20 ++ .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 7 + .../ecdsa-certs/hosts/moon/etc/ipsec.secrets | 3 + .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 5 + testing/tests/openssl/ecdsa-certs/posttest.dat | 6 + testing/tests/openssl/ecdsa-certs/pretest.dat | 9 + testing/tests/openssl/ecdsa-certs/test.conf | 21 +++ .../tests/openssl/ike-alg-ecp-high/description.txt | 17 ++ .../tests/openssl/ike-alg-ecp-high/evaltest.dat | 14 ++ .../ike-alg-ecp-high/hosts/carol/etc/ipsec.conf | 24 +++ .../hosts/carol/etc/strongswan.conf | 5 + .../ike-alg-ecp-high/hosts/dave/etc/ipsec.conf | 24 +++ .../hosts/dave/etc/strongswan.conf | 5 + .../ike-alg-ecp-high/hosts/moon/etc/ipsec.conf | 23 +++ .../hosts/moon/etc/strongswan.conf | 5 + .../tests/openssl/ike-alg-ecp-high/posttest.dat | 6 + testing/tests/openssl/ike-alg-ecp-high/pretest.dat | 9 + testing/tests/openssl/ike-alg-ecp-high/test.conf | 21 +++ .../tests/openssl/ike-alg-ecp-low/description.txt | 17 ++ testing/tests/openssl/ike-alg-ecp-low/evaltest.dat | 14 ++ .../ike-alg-ecp-low/hosts/carol/etc/ipsec.conf | 24 +++ .../hosts/carol/etc/strongswan.conf | 5 + .../ike-alg-ecp-low/hosts/dave/etc/ipsec.conf | 24 +++ .../ike-alg-ecp-low/hosts/dave/etc/strongswan.conf | 5 + .../ike-alg-ecp-low/hosts/moon/etc/ipsec.conf | 23 +++ .../ike-alg-ecp-low/hosts/moon/etc/strongswan.conf | 5 + testing/tests/openssl/ike-alg-ecp-low/posttest.dat | 6 + testing/tests/openssl/ike-alg-ecp-low/pretest.dat | 9 + testing/tests/openssl/ike-alg-ecp-low/test.conf | 21 +++ testing/tests/openssl/rw-cert/description.txt | 12 ++ testing/tests/openssl/rw-cert/evaltest.dat | 10 + .../openssl/rw-cert/hosts/carol/etc/ipsec.conf | 24 +++ .../rw-cert/hosts/carol/etc/strongswan.conf | 5 + .../openssl/rw-cert/hosts/dave/etc/ipsec.conf | 24 +++ .../openssl/rw-cert/hosts/dave/etc/strongswan.conf | 5 + .../openssl/rw-cert/hosts/moon/etc/ipsec.conf | 23 +++ .../openssl/rw-cert/hosts/moon/etc/strongswan.conf | 5 + testing/tests/openssl/rw-cert/posttest.dat | 6 + testing/tests/openssl/rw-cert/pretest.dat | 9 + testing/tests/openssl/rw-cert/test.conf | 21 +++ testing/tests/p2pnat/behind-same-nat/evaltest.dat | 10 +- .../hosts/alice/etc/init.d/iptables | 2 +- .../behind-same-nat/hosts/alice/etc/ipsec.conf | 8 +- .../hosts/alice/etc/strongswan.conf | 5 + .../behind-same-nat/hosts/carol/etc/ipsec.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 5 + .../hosts/venus/etc/init.d/iptables | 2 +- .../behind-same-nat/hosts/venus/etc/ipsec.conf | 8 +- .../hosts/venus/etc/strongswan.conf | 5 + testing/tests/p2pnat/medsrv-psk/evaltest.dat | 8 +- .../medsrv-psk/hosts/alice/etc/init.d/iptables | 2 +- .../p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf | 8 +- .../medsrv-psk/hosts/alice/etc/strongswan.conf | 5 + .../p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf | 8 +- .../medsrv-psk/hosts/bob/etc/strongswan.conf | 5 + .../p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf | 2 +- .../medsrv-psk/hosts/carol/etc/strongswan.conf | 5 + .../tests/sql/ip-pool-db-expired/description.txt | 10 + testing/tests/sql/ip-pool-db-expired/evaltest.dat | 26 +++ .../ip-pool-db-expired/hosts/carol/etc/ipsec.conf | 8 + .../hosts/carol/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 10 + .../ip-pool-db-expired/hosts/dave/etc/ipsec.conf | 8 + .../hosts/dave/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 10 + .../ip-pool-db-expired/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 171 +++++++++++++++++ .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/ip-pool-db-expired/posttest.dat | 10 + testing/tests/sql/ip-pool-db-expired/pretest.dat | 19 ++ testing/tests/sql/ip-pool-db-expired/test.conf | 21 +++ .../tests/sql/ip-pool-db-restart/description.txt | 10 + testing/tests/sql/ip-pool-db-restart/evaltest.dat | 26 +++ .../ip-pool-db-restart/hosts/carol/etc/ipsec.conf | 8 + .../hosts/carol/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 10 + .../ip-pool-db-restart/hosts/dave/etc/ipsec.conf | 8 + .../hosts/dave/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 10 + .../ip-pool-db-restart/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 171 +++++++++++++++++ .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/ip-pool-db-restart/posttest.dat | 10 + testing/tests/sql/ip-pool-db-restart/pretest.dat | 19 ++ testing/tests/sql/ip-pool-db-restart/test.conf | 21 +++ testing/tests/sql/ip-pool-db/description.txt | 10 + testing/tests/sql/ip-pool-db/evaltest.dat | 26 +++ .../sql/ip-pool-db/hosts/carol/etc/ipsec.conf | 8 + .../ip-pool-db/hosts/carol/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../sql/ip-pool-db/hosts/carol/etc/ipsec.secrets | 3 + .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf | 10 + .../tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf | 8 + .../sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../sql/ip-pool-db/hosts/dave/etc/ipsec.secrets | 3 + .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf | 10 + .../tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf | 8 + .../sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql | 147 +++++++++++++++ .../sql/ip-pool-db/hosts/moon/etc/ipsec.secrets | 3 + .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/ip-pool-db/posttest.dat | 10 + testing/tests/sql/ip-pool-db/pretest.dat | 18 ++ testing/tests/sql/ip-pool-db/test.conf | 21 +++ testing/tests/sql/net2net-cert/description.txt | 5 + testing/tests/sql/net2net-cert/evaltest.dat | 5 + .../sql/net2net-cert/hosts/moon/etc/ipsec.conf | 8 + .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../sql/net2net-cert/hosts/moon/etc/ipsec.secrets | 3 + .../net2net-cert/hosts/moon/etc/strongswan.conf | 10 + .../sql/net2net-cert/hosts/sun/etc/ipsec.conf | 8 + .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql | 138 ++++++++++++++ .../sql/net2net-cert/hosts/sun/etc/ipsec.secrets | 3 + .../sql/net2net-cert/hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-cert/posttest.dat | 6 + testing/tests/sql/net2net-cert/pretest.dat | 12 ++ testing/tests/sql/net2net-cert/test.conf | 21 +++ testing/tests/sql/net2net-psk/description.txt | 5 + testing/tests/sql/net2net-psk/evaltest.dat | 5 + .../sql/net2net-psk/hosts/moon/etc/ipsec.conf | 8 + .../net2net-psk/hosts/moon/etc/ipsec.d/data.sql | 90 +++++++++ .../sql/net2net-psk/hosts/moon/etc/ipsec.secrets | 3 + .../sql/net2net-psk/hosts/moon/etc/strongswan.conf | 10 + .../tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf | 8 + .../sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql | 84 +++++++++ .../sql/net2net-psk/hosts/sun/etc/ipsec.secrets | 3 + .../sql/net2net-psk/hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-psk/posttest.dat | 6 + testing/tests/sql/net2net-psk/pretest.dat | 12 ++ testing/tests/sql/net2net-psk/test.conf | 21 +++ testing/tests/sql/rw-cert/description.txt | 6 + testing/tests/sql/rw-cert/evaltest.dat | 10 + .../tests/sql/rw-cert/hosts/carol/etc/ipsec.conf | 8 + .../sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../sql/rw-cert/hosts/carol/etc/ipsec.secrets | 3 + .../sql/rw-cert/hosts/carol/etc/strongswan.conf | 10 + .../tests/sql/rw-cert/hosts/dave/etc/ipsec.conf | 8 + .../sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets | 3 + .../sql/rw-cert/hosts/dave/etc/strongswan.conf | 10 + .../tests/sql/rw-cert/hosts/moon/etc/ipsec.conf | 8 + .../sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql | 140 ++++++++++++++ .../tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets | 3 + .../sql/rw-cert/hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/rw-cert/posttest.dat | 10 + testing/tests/sql/rw-cert/pretest.dat | 18 ++ testing/tests/sql/rw-cert/test.conf | 21 +++ testing/tests/sql/rw-psk-ipv4/description.txt | 6 + testing/tests/sql/rw-psk-ipv4/evaltest.dat | 10 + .../sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf | 8 + .../rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql | 84 +++++++++ .../sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets | 3 + .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 10 + .../sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf | 8 + .../rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql | 84 +++++++++ .../sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets | 3 + .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 10 + .../sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf | 8 + .../rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql | 114 ++++++++++++ .../sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets | 3 + .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/rw-psk-ipv4/posttest.dat | 10 + testing/tests/sql/rw-psk-ipv4/pretest.dat | 18 ++ testing/tests/sql/rw-psk-ipv4/test.conf | 21 +++ testing/tests/sql/rw-psk-ipv6/description.txt | 6 + testing/tests/sql/rw-psk-ipv6/evaltest.dat | 10 + .../rw-psk-ipv6/hosts/carol/etc/init.d/iptables | 107 +++++++++++ .../sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf | 8 + .../rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql | 84 +++++++++ .../sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets | 3 + .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf | 10 + .../sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables | 107 +++++++++++ .../sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf | 8 + .../rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql | 84 +++++++++ .../sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets | 3 + .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf | 10 + .../sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables | 107 +++++++++++ .../sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf | 8 + .../rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql | 114 ++++++++++++ .../sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets | 3 + .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/rw-psk-ipv6/posttest.dat | 12 ++ testing/tests/sql/rw-psk-ipv6/pretest.dat | 21 +++ testing/tests/sql/rw-psk-ipv6/test.conf | 21 +++ testing/tests/sql/rw-psk-rsa-split/description.txt | 8 + testing/tests/sql/rw-psk-rsa-split/evaltest.dat | 12 ++ .../rw-psk-rsa-split/hosts/carol/etc/ipsec.conf | 8 + .../hosts/carol/etc/ipsec.d/data.sql | 116 ++++++++++++ .../rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 10 + .../sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf | 8 + .../hosts/dave/etc/ipsec.d/data.sql | 117 ++++++++++++ .../rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 10 + .../sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 191 +++++++++++++++++++ .../rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/rw-psk-rsa-split/posttest.dat | 10 + testing/tests/sql/rw-psk-rsa-split/pretest.dat | 18 ++ testing/tests/sql/rw-psk-rsa-split/test.conf | 21 +++ 648 files changed, 8817 insertions(+), 546 deletions(-) create mode 100644 testing/hosts/alice/etc/ipsec.d/ipsec.sql create mode 100644 testing/hosts/alice/etc/strongswan.conf create mode 100644 testing/hosts/bob/etc/ipsec.d/ipsec.sql create mode 100644 testing/hosts/bob/etc/strongswan.conf create mode 100644 testing/hosts/carol/etc/ipsec.d/ipsec.sql create mode 100644 testing/hosts/carol/etc/strongswan.conf create mode 100644 testing/hosts/dave/etc/ipsec.d/ipsec.sql create mode 100644 testing/hosts/dave/etc/strongswan.conf create mode 100644 testing/hosts/default/etc/ipsec.d/tables.sql create mode 100644 testing/hosts/moon/etc/ipsec.d/ipsec.sql create mode 100644 testing/hosts/moon/etc/strongswan.conf create mode 100644 testing/hosts/sun/etc/ipsec.d/ipsec.sql create mode 100644 testing/hosts/sun/etc/strongswan.conf create mode 100644 testing/hosts/venus/etc/ipsec.d/ipsec.sql create mode 100644 testing/hosts/venus/etc/strongswan.conf create mode 100644 testing/hosts/winnetou/etc/openssl/certs/0e35060aed55a85aa8520815c166588fc35bcd93 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/1b260aa901f29db73635f568c34e27d1f1cb23ab create mode 100644 testing/hosts/winnetou/etc/openssl/certs/394ceefaef48af8394d9a0e63d74cc56a4117a23 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/430651fd670098ad72f02c4cc34a017f9931c88b create mode 100644 testing/hosts/winnetou/etc/openssl/certs/47a2450a79a68462c105747751a6526aa8a20277 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/4f4b98c28a1d286274f529e75000cfbb02ce4c64 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/53b5bf163ae90d54271288852c2ab062fb9e74e3 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/7c6a448fb938e5c19ab75631f0d0cbb92b25f2a9 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/7db109750703f47b822eb10cf205159f90fe3634 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/8dcd0fcfbfdcfce2480a4f18b20007517df2091f create mode 100644 testing/hosts/winnetou/etc/openssl/certs/8e9be7e9f0de2874707245ee200bfb971a646ba9 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/9ff39ec266e309f2b53748a4fe0cfd3923955ff4 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/a91bb369a86604673f42f25b3fc94422eb73afd5 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/af19b02dcdc28a4e86d1657b656f0cac63b5474b create mode 100644 testing/hosts/winnetou/etc/openssl/certs/b15a2fbbd5613781df896d28f82e4b0893011530 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/bb027269812f2cb0c1ba534c0016b7f33bdca83f create mode 100644 testing/hosts/winnetou/etc/openssl/certs/cedd2d5985ee0efde7acb2f788ed1a4237197d01 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/e07015ca76fba1039b247ce96c214bb038539cc8 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/e08213ec6a79e05c86a6f8a378eb4d5086352a7b create mode 100644 testing/hosts/winnetou/etc/openssl/certs/f2595dbd1ee26d9df0e8c5beae47875c68b97b4c create mode 100644 testing/hosts/winnetou/etc/openssl/certs/research/0855c55d208f71747b88da0fabcce348be495ac0 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/research/29d8bec44f188d61072bad52bfaf6f8553342f15 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/research/91b2e4f8a1612a34c646fb8320aaf374cc78ab7b create mode 100644 testing/hosts/winnetou/etc/openssl/certs/research/fc384911d10e35814a20c92642873925eada85c3 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/sales/3f24becda29cf44f0e4e89f894b925ab7e7a0aac create mode 100644 testing/hosts/winnetou/etc/openssl/certs/sales/937fb1c8fa8bb3b169c63c8f77562592e44cfb32 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/sales/a4317f76f97afb3b6308c4b3496eb09d9efeed00 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/sales/fcc1991dae2d8444c841c386e1921c59882afcf2 create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/.rand create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber.old create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/index.txt create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr.old create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/01.pem create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/02.pem create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/03.pem create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/04.pem create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/serial create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/serial.old create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecCert.pem create mode 100644 testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecKey.pem create mode 100755 testing/scripts/gstart-umls create mode 100644 testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev1/esp-alg-aesxcbc/description.txt create mode 100644 testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat create mode 100755 testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat create mode 100644 testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat create mode 100644 testing/tests/ikev1/esp-alg-aesxcbc/test.conf create mode 100644 testing/tests/ikev1/esp-alg-camellia/description.txt create mode 100644 testing/tests/ikev1/esp-alg-camellia/evaltest.dat create mode 100755 testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/esp-alg-camellia/posttest.dat create mode 100644 testing/tests/ikev1/esp-alg-camellia/pretest.dat create mode 100644 testing/tests/ikev1/esp-alg-camellia/test.conf create mode 100644 testing/tests/ikev2/alg-aes-xcbc/description.txt create mode 100644 testing/tests/ikev2/alg-aes-xcbc/evaltest.dat create mode 100755 testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/alg-aes-xcbc/posttest.dat create mode 100644 testing/tests/ikev2/alg-aes-xcbc/pretest.dat create mode 100644 testing/tests/ikev2/alg-aes-xcbc/test.conf create mode 100644 testing/tests/ikev2/compress/description.txt create mode 100644 testing/tests/ikev2/compress/evaltest.dat create mode 100755 testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/compress/posttest.dat create mode 100644 testing/tests/ikev2/compress/pretest.dat create mode 100644 testing/tests/ikev2/compress/test.conf create mode 100644 testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf create mode 100644 testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf create mode 100644 testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/description.txt create mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat create mode 100755 testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat create mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat create mode 100644 testing/tests/ikev2/esp-alg-aes-ccm/test.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/description.txt create mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat create mode 100755 testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat create mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat create mode 100644 testing/tests/ikev2/esp-alg-aes-gcm/test.conf delete mode 100644 testing/tests/ikev2/esp-alg-aesxcbc/description.txt delete mode 100644 testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat delete mode 100755 testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf delete mode 100755 testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat delete mode 100644 testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat delete mode 100644 testing/tests/ikev2/esp-alg-aesxcbc/test.conf create mode 100644 testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ip-pool-db/description.txt create mode 100644 testing/tests/ikev2/ip-pool-db/evaltest.dat create mode 100755 testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ip-pool-db/posttest.dat create mode 100644 testing/tests/ikev2/ip-pool-db/pretest.dat create mode 100644 testing/tests/ikev2/ip-pool-db/test.conf create mode 100644 testing/tests/ikev2/ip-pool-wish/description.txt create mode 100644 testing/tests/ikev2/ip-pool-wish/evaltest.dat create mode 100755 testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ip-pool-wish/posttest.dat create mode 100644 testing/tests/ikev2/ip-pool-wish/pretest.dat create mode 100644 testing/tests/ikev2/ip-pool-wish/test.conf create mode 100644 testing/tests/ikev2/ip-pool/description.txt create mode 100644 testing/tests/ikev2/ip-pool/evaltest.dat create mode 100755 testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ip-pool/posttest.dat create mode 100644 testing/tests/ikev2/ip-pool/pretest.dat create mode 100644 testing/tests/ikev2/ip-pool/test.conf create mode 100644 testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/nat-double-snat/description.txt delete mode 100644 testing/tests/ikev2/nat-double-snat/evaltest.dat delete mode 100644 testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem delete mode 100644 testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem delete mode 100644 testing/tests/ikev2/nat-double-snat/posttest.dat delete mode 100644 testing/tests/ikev2/nat-double-snat/pretest.dat delete mode 100644 testing/tests/ikev2/nat-double-snat/test.conf create mode 100644 testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/nat-pf/description.txt delete mode 100644 testing/tests/ikev2/nat-pf/evaltest.dat delete mode 100644 testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem delete mode 100644 testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem delete mode 100644 testing/tests/ikev2/nat-pf/posttest.dat delete mode 100644 testing/tests/ikev2/nat-pf/pretest.dat delete mode 100644 testing/tests/ikev2/nat-pf/test.conf create mode 100644 testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/description.txt create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-md5-rsa/test.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-hash-and-url/description.txt create mode 100644 testing/tests/ikev2/rw-hash-and-url/evaltest.dat create mode 100755 testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-hash-and-url/posttest.dat create mode 100644 testing/tests/ikev2/rw-hash-and-url/pretest.dat create mode 100644 testing/tests/ikev2/rw-hash-and-url/test.conf create mode 100644 testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/description.txt create mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat create mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables create mode 100755 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat create mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat create mode 100644 testing/tests/ipv6/net2net-ipv4-ikev2/test.conf create mode 100644 testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/openssl/ecdsa-certs/description.txt create mode 100644 testing/tests/openssl/ecdsa-certs/evaltest.dat create mode 100755 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/openssl/ecdsa-certs/posttest.dat create mode 100644 testing/tests/openssl/ecdsa-certs/pretest.dat create mode 100644 testing/tests/openssl/ecdsa-certs/test.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-high/description.txt create mode 100644 testing/tests/openssl/ike-alg-ecp-high/evaltest.dat create mode 100755 testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-high/posttest.dat create mode 100644 testing/tests/openssl/ike-alg-ecp-high/pretest.dat create mode 100644 testing/tests/openssl/ike-alg-ecp-high/test.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-low/description.txt create mode 100644 testing/tests/openssl/ike-alg-ecp-low/evaltest.dat create mode 100755 testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/openssl/ike-alg-ecp-low/posttest.dat create mode 100644 testing/tests/openssl/ike-alg-ecp-low/pretest.dat create mode 100644 testing/tests/openssl/ike-alg-ecp-low/test.conf create mode 100644 testing/tests/openssl/rw-cert/description.txt create mode 100644 testing/tests/openssl/rw-cert/evaltest.dat create mode 100755 testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/openssl/rw-cert/posttest.dat create mode 100644 testing/tests/openssl/rw-cert/pretest.dat create mode 100644 testing/tests/openssl/rw-cert/test.conf create mode 100644 testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf create mode 100644 testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/description.txt create mode 100644 testing/tests/sql/ip-pool-db-expired/evaltest.dat create mode 100755 testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/ip-pool-db-expired/posttest.dat create mode 100644 testing/tests/sql/ip-pool-db-expired/pretest.dat create mode 100644 testing/tests/sql/ip-pool-db-expired/test.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/description.txt create mode 100644 testing/tests/sql/ip-pool-db-restart/evaltest.dat create mode 100755 testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/ip-pool-db-restart/posttest.dat create mode 100644 testing/tests/sql/ip-pool-db-restart/pretest.dat create mode 100644 testing/tests/sql/ip-pool-db-restart/test.conf create mode 100644 testing/tests/sql/ip-pool-db/description.txt create mode 100644 testing/tests/sql/ip-pool-db/evaltest.dat create mode 100755 testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/ip-pool-db/posttest.dat create mode 100644 testing/tests/sql/ip-pool-db/pretest.dat create mode 100644 testing/tests/sql/ip-pool-db/test.conf create mode 100644 testing/tests/sql/net2net-cert/description.txt create mode 100644 testing/tests/sql/net2net-cert/evaltest.dat create mode 100644 testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-cert/posttest.dat create mode 100644 testing/tests/sql/net2net-cert/pretest.dat create mode 100644 testing/tests/sql/net2net-cert/test.conf create mode 100644 testing/tests/sql/net2net-psk/description.txt create mode 100644 testing/tests/sql/net2net-psk/evaltest.dat create mode 100644 testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-psk/posttest.dat create mode 100644 testing/tests/sql/net2net-psk/pretest.dat create mode 100644 testing/tests/sql/net2net-psk/test.conf create mode 100644 testing/tests/sql/rw-cert/description.txt create mode 100644 testing/tests/sql/rw-cert/evaltest.dat create mode 100755 testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/rw-cert/posttest.dat create mode 100644 testing/tests/sql/rw-cert/pretest.dat create mode 100644 testing/tests/sql/rw-cert/test.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/description.txt create mode 100644 testing/tests/sql/rw-psk-ipv4/evaltest.dat create mode 100755 testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/rw-psk-ipv4/posttest.dat create mode 100644 testing/tests/sql/rw-psk-ipv4/pretest.dat create mode 100644 testing/tests/sql/rw-psk-ipv4/test.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/description.txt create mode 100644 testing/tests/sql/rw-psk-ipv6/evaltest.dat create mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables create mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables create mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/rw-psk-ipv6/posttest.dat create mode 100644 testing/tests/sql/rw-psk-ipv6/pretest.dat create mode 100644 testing/tests/sql/rw-psk-ipv6/test.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/description.txt create mode 100644 testing/tests/sql/rw-psk-rsa-split/evaltest.dat create mode 100755 testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/rw-psk-rsa-split/posttest.dat create mode 100644 testing/tests/sql/rw-psk-rsa-split/pretest.dat create mode 100644 testing/tests/sql/rw-psk-rsa-split/test.conf (limited to 'testing') diff --git a/testing/INSTALL b/testing/INSTALL index 39338b6bd..f7124cfd7 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,7 +53,7 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.2.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.4.tar.bz2 * Starting with Linux kernel 2.6.9 no patch must be applied any more in order to make the vanilla kernel UML-capable. For older kernels you'll find @@ -67,11 +67,11 @@ are required for the strongSwan testing environment: * A gentoo-based UML file system (compressed size 130 MBytes) found at - http://download.strongswan.org/uml/gentoo-fs-20071108.tar.bz2 + http://download.strongswan.org/uml/gentoo-fs-20080407.tar.bz2 * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.1.11.tar.gz + http://download.strongswan.org/strongswan-4.2.4.tar.bz2 3. Creating the environment @@ -146,5 +146,5 @@ README document. ----------------------------------------------------------------------------- -This file is RCSID $Id: INSTALL 3472 2008-02-14 21:26:21Z andreas $ +This file is RCSID $Id: INSTALL 4016 2008-05-25 10:35:39Z andreas $ diff --git a/testing/Makefile.in b/testing/Makefile.in index d132220fb..62e84dbf8 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.10.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -64,6 +64,7 @@ CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ ECHO = @ECHO@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ @@ -93,6 +94,7 @@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NMEDIT = @NMEDIT@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ @@ -123,7 +125,6 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ -backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -134,12 +135,11 @@ builddir = @builddir@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ -dbus_CFLAGS = @dbus_CFLAGS@ -dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ -eapdir = @eapdir@ exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -149,12 +149,12 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ -ipsecuid = @ipsecuid@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ +libstrongswan_plugins = @libstrongswan_plugins@ linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -167,10 +167,12 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +resolv_conf = @resolv_conf@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ simreader = @simreader@ srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_builddir = @top_builddir@ diff --git a/testing/do-tests.in b/testing/do-tests.in index 7aadafd6a..2996b5500 100755 --- a/testing/do-tests.in +++ b/testing/do-tests.in @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: do-tests.in 3323 2007-11-07 12:22:44Z andreas $ +# RCSID $Id: do-tests.in 4114 2008-06-26 09:41:22Z andreas $ DIR=`dirname $0` @@ -233,13 +233,6 @@ do @EOF fi - if [ $SUBDIR = "ipv6" ] - then - IPTABLES="ip6tables" - else - IPTABLES="iptables" - fi - for name in $SUBTESTS do let "testnumber += 1" @@ -252,6 +245,13 @@ do continue fi + if [ $SUBDIR = "ipv6" -o $name = "rw-psk-ipv6" ] + then + IPTABLES="ip6tables" + else + IPTABLES="iptables" + fi + [ -f $DEFAULTTESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing" [ -f $DEFAULTTESTSDIR/${testname}/test.conf ] || die "!! File 'test.conf' is missing" [ -f $DEFAULTTESTSDIR/${testname}/pretest.dat ] || die "!! File 'pretest.dat' is missing" @@ -463,35 +463,51 @@ do > $TESTRESULTDIR/${host}.$command 2>/dev/null done - for file in ipsec.conf ipsec.secrets + for file in strongswan.conf ipsec.conf ipsec.secrets do scp $HOSTLOGIN:/etc/$file \ $TESTRESULTDIR/${host}.$file > /dev/null 2>&1 done + scp $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \ + $TESTRESULTDIR/${host}.ipsec.sql > /dev/null 2>&1 + + ssh $HOSTLOGIN ip -s xfrm policy \ + > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null + ssh $HOSTLOGIN ip -s xfrm state \ + > $TESTRESULTDIR/${host}.ip.state 2>/dev/null ssh $HOSTLOGIN ip route list table $SOURCEIP_ROUTING_TABLE \ - > $TESTRESULTDIR/${host}.iproute 2>/dev/null + > $TESTRESULTDIR/${host}.ip.route 2>/dev/null ssh $HOSTLOGIN $IPTABLES -v -n -L \ > $TESTRESULTDIR/${host}.iptables 2>/dev/null + chmod a+r $TESTRESULTDIR/* cat >> $TESTRESULTDIR/index.html <<@EOF

$host

- +
- - +
+ + + + +
diff --git a/testing/hosts/alice/etc/ipsec.d/ipsec.sql b/testing/hosts/alice/etc/ipsec.d/ipsec.sql new file mode 100644 index 000000000..da38e9ab4 --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.d/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from ipsec.conf */ +/* credentials are read from ipsec.secrets */ diff --git a/testing/hosts/alice/etc/strongswan.conf b/testing/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/hosts/alice/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/hosts/bob/etc/ipsec.d/ipsec.sql b/testing/hosts/bob/etc/ipsec.d/ipsec.sql new file mode 100644 index 000000000..da38e9ab4 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from ipsec.conf */ +/* credentials are read from ipsec.secrets */ diff --git a/testing/hosts/bob/etc/strongswan.conf b/testing/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/hosts/bob/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/hosts/carol/etc/ipsec.d/ipsec.sql b/testing/hosts/carol/etc/ipsec.d/ipsec.sql new file mode 100644 index 000000000..da38e9ab4 --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.d/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from ipsec.conf */ +/* credentials are read from ipsec.secrets */ diff --git a/testing/hosts/carol/etc/strongswan.conf b/testing/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/hosts/carol/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/hosts/dave/etc/ipsec.d/ipsec.sql b/testing/hosts/dave/etc/ipsec.d/ipsec.sql new file mode 100644 index 000000000..da38e9ab4 --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.d/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from ipsec.conf */ +/* credentials are read from ipsec.secrets */ diff --git a/testing/hosts/dave/etc/strongswan.conf b/testing/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/hosts/dave/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql new file mode 100644 index 000000000..6b5be2bcf --- /dev/null +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -0,0 +1,204 @@ +/* strongSwan SQLite database */ + +DROP TABLE IF EXISTS identities; +CREATE TABLE identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + data BLOB NOT NULL, + UNIQUE (type, data) +); + +DROP TABLE IF EXISTS child_configs; +CREATE TABLE child_configs ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL, + lifetime INTEGER NOT NULL DEFAULT '1200', + rekeytime INTEGER NOT NULL DEFAULT '1020', + jitter INTEGER NOT NULL DEFAULT '180', + updown TEXT DEFAULT NULL, + hostaccess INTEGER NOT NULL DEFAULT '0', + mode INTEGER NOT NULL DEFAULT '1', + dpd_action INTEGER NOT NULL DEFAULT '0', + close_action INTEGER NOT NULL DEFAULT '0', + ipcomp INTEGER NOT NULL DEFAULT '0' +); +DROP INDEX IF EXISTS child_configs_name; +CREATE INDEX child_configs_name ON child_configs ( + name +); + +DROP TABLE IF EXISTS child_config_traffic_selector; +CREATE TABLE child_config_traffic_selector ( + child_cfg INTEGER NOT NULL, + traffic_selector INTEGER NOT NULL, + kind INTEGER NOT NULL +); +DROP INDEX IF EXISTS child_config_traffic_selector; +CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector ( + child_cfg, traffic_selector +); + +DROP TABLE IF EXISTS ike_configs; +CREATE TABLE ike_configs ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + certreq INTEGER NOT NULL DEFAULT '1', + force_encap INTEGER NOT NULL DEFAULT '0', + local TEXT NOT NULL, + remote TEXT NOT NULL +); + +DROP TABLE IF EXISTS peer_configs; +CREATE TABLE peer_configs ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL, + ike_version INTEGER NOT NULL DEFAULT '2', + ike_cfg INTEGER NOT NULL, + local_id TEXT NOT NULL, + remote_id TEXT NOT NULL, + cert_policy INTEGER NOT NULL DEFAULT '1', + uniqueid INTEGER NOT NULL DEFAULT '0', + auth_method INTEGER NOT NULL DEFAULT '1', + eap_type INTEGER NOT NULL DEFAULT '0', + eap_vendor INTEGER NOT NULL DEFAULT '0', + keyingtries INTEGER NOT NULL DEFAULT '1', + rekeytime INTEGER NOT NULL DEFAULT '0', + reauthtime INTEGER NOT NULL DEFAULT '3600', + jitter INTEGER NOT NULL DEFAULT '180', + overtime INTEGER NOT NULL DEFAULT '300', + mobike INTEGER NOT NULL DEFAULT '1', + dpd_delay INTEGER NOT NULL DEFAULT '120', + virtual TEXT DEFAULT NULL, + pool TEXT DEFAULT NULL, + mediation INTEGER NOT NULL DEFAULT '0', + mediated_by INTEGER NOT NULL DEFAULT '0', + peer_id INTEGER NOT NULL DEFAULT '0' +); +DROP INDEX IF EXISTS peer_configs_name; +CREATE INDEX peer_configs_name ON peer_configs ( + name +); + +DROP TABLE IF EXISTS peer_config_child_config; +CREATE TABLE peer_config_child_config ( + peer_cfg INTEGER NOT NULL, + child_cfg INTEGER NOT NULL, + PRIMARY KEY (peer_cfg, child_cfg) +); + +DROP TABLE IF EXISTS traffic_selectors; +CREATE TABLE traffic_selectors ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL DEFAULT '7', + protocol INTEGER NOT NULL DEFAULT '0', + start_addr BLOB DEFAULT NULL, + end_addr BLOB DEFAULT NULL, + start_port INTEGER NOT NULL DEFAULT '0', + end_port INTEGER NOT NULL DEFAULT '65535' +); + +DROP TABLE IF EXISTS certificates; +CREATE TABLE certificates ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + keytype INTEGER NOT NULL, + data BLOB NOT NULL +); + +DROP TABLE IF EXISTS certificate_identity; +CREATE TABLE certificate_identity ( + certificate INTEGER NOT NULL, + identity INTEGER NOT NULL, + PRIMARY KEY (certificate, identity) +); + +DROP TABLE IF EXISTS private_keys; +CREATE TABLE private_keys ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + data BLOB NOT NULL +); + +DROP TABLE IF EXISTS private_key_identity; +CREATE TABLE private_key_identity ( + private_key INTEGER NOT NULL, + identity INTEGER NOT NULL, + PRIMARY KEY (private_key, identity) +); + +DROP TABLE IF EXISTS shared_secrets; +CREATE TABLE shared_secrets ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + data BLOB NOT NULL +); + +DROP TABLE IF EXISTS shared_secret_identity; +CREATE TABLE shared_secret_identity ( + shared_secret INTEGER NOT NULL, + identity INTEGER NOT NULL, + PRIMARY KEY (shared_secret, identity) +); + +DROP TABLE IF EXISTS pools; +CREATE TABLE pools ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL, + start BLOB NOT NULL, + end BLOB NOT NULL, + next BLOB NOT NULL, + timeout INTEGER DEFAULT NULL, + UNIQUE (name) +); +DROP INDEX IF EXISTS pools_name; +CREATE INDEX pools_name ON pools ( + name +); + +DROP TABLE IF EXISTS leases; +CREATE TABLE leases ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + pool INTEGER NOT NULL, + address BLOB NOT NULL, + identity INTEGER NOT NULL, + acquired INTEGER NOT NULL, + released INTEGER DEFAULT NULL +); +DROP INDEX IF EXISTS leases_pool; +CREATE INDEX leases_pool ON leases ( + pool +); +DROP INDEX IF EXISTS leases_identity; +CREATE INDEX leases_identity ON leases ( + identity +); +DROP INDEX IF EXISTS leases_released; +CREATE INDEX leases_released ON leases ( + released +); + +DROP TABLE IF EXISTS ike_sas; +CREATE TABLE ike_sas ( + local_spi BLOB NOT NULL PRIMARY KEY, + remote_spi BLOB NOT NULL, + id INTEGER NOT NULL, + initiator INTEGER NOT NULL, + local_id_type INTEGER NOT NULL, + local_id_data BLOB NOT NULL, + remote_id_type INTEGER NOT NULL, + remote_id_data BLOB NOT NULL, + host_family INTEGER NOT NULL, + local_host_data BLOB NOT NULL, + remote_host_data BLOB NOT NULL, + created INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +DROP TABLE IF EXISTS logs; +CREATE TABLE logs ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + local_spi BLOB NOT NULL, + signal INTEGER NOT NULL, + level INTEGER NOT NULL, + msg TEXT NOT NULL, + time INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP +); + diff --git a/testing/hosts/moon/etc/ipsec.d/ipsec.sql b/testing/hosts/moon/etc/ipsec.d/ipsec.sql new file mode 100644 index 000000000..da38e9ab4 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from ipsec.conf */ +/* credentials are read from ipsec.secrets */ diff --git a/testing/hosts/moon/etc/strongswan.conf b/testing/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/hosts/moon/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/hosts/sun/etc/ipsec.d/ipsec.sql b/testing/hosts/sun/etc/ipsec.d/ipsec.sql new file mode 100644 index 000000000..da38e9ab4 --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.d/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from ipsec.conf */ +/* credentials are read from ipsec.secrets */ diff --git a/testing/hosts/sun/etc/strongswan.conf b/testing/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/hosts/sun/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/hosts/venus/etc/ipsec.d/ipsec.sql b/testing/hosts/venus/etc/ipsec.d/ipsec.sql new file mode 100644 index 000000000..da38e9ab4 --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.d/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from ipsec.conf */ +/* credentials are read from ipsec.secrets */ diff --git a/testing/hosts/venus/etc/strongswan.conf b/testing/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/hosts/venus/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/hosts/winnetou/etc/openssl/certs/0e35060aed55a85aa8520815c166588fc35bcd93 b/testing/hosts/winnetou/etc/openssl/certs/0e35060aed55a85aa8520815c166588fc35bcd93 new file mode 100644 index 000000000..dcb5746ec Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/0e35060aed55a85aa8520815c166588fc35bcd93 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/1b260aa901f29db73635f568c34e27d1f1cb23ab b/testing/hosts/winnetou/etc/openssl/certs/1b260aa901f29db73635f568c34e27d1f1cb23ab new file mode 100644 index 000000000..529fd2d45 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/1b260aa901f29db73635f568c34e27d1f1cb23ab differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/394ceefaef48af8394d9a0e63d74cc56a4117a23 b/testing/hosts/winnetou/etc/openssl/certs/394ceefaef48af8394d9a0e63d74cc56a4117a23 new file mode 100644 index 000000000..29cbe00d1 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/394ceefaef48af8394d9a0e63d74cc56a4117a23 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/430651fd670098ad72f02c4cc34a017f9931c88b b/testing/hosts/winnetou/etc/openssl/certs/430651fd670098ad72f02c4cc34a017f9931c88b new file mode 100644 index 000000000..1be390003 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/430651fd670098ad72f02c4cc34a017f9931c88b differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/47a2450a79a68462c105747751a6526aa8a20277 b/testing/hosts/winnetou/etc/openssl/certs/47a2450a79a68462c105747751a6526aa8a20277 new file mode 100644 index 000000000..5044790eb Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/47a2450a79a68462c105747751a6526aa8a20277 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/4f4b98c28a1d286274f529e75000cfbb02ce4c64 b/testing/hosts/winnetou/etc/openssl/certs/4f4b98c28a1d286274f529e75000cfbb02ce4c64 new file mode 100644 index 000000000..2bf0d15d5 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/4f4b98c28a1d286274f529e75000cfbb02ce4c64 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/53b5bf163ae90d54271288852c2ab062fb9e74e3 b/testing/hosts/winnetou/etc/openssl/certs/53b5bf163ae90d54271288852c2ab062fb9e74e3 new file mode 100644 index 000000000..ac09de4f8 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/53b5bf163ae90d54271288852c2ab062fb9e74e3 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/7c6a448fb938e5c19ab75631f0d0cbb92b25f2a9 b/testing/hosts/winnetou/etc/openssl/certs/7c6a448fb938e5c19ab75631f0d0cbb92b25f2a9 new file mode 100644 index 000000000..ecc8b3f56 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/7c6a448fb938e5c19ab75631f0d0cbb92b25f2a9 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/7db109750703f47b822eb10cf205159f90fe3634 b/testing/hosts/winnetou/etc/openssl/certs/7db109750703f47b822eb10cf205159f90fe3634 new file mode 100644 index 000000000..87b809718 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/7db109750703f47b822eb10cf205159f90fe3634 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/8dcd0fcfbfdcfce2480a4f18b20007517df2091f b/testing/hosts/winnetou/etc/openssl/certs/8dcd0fcfbfdcfce2480a4f18b20007517df2091f new file mode 100644 index 000000000..2a52f620d Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/8dcd0fcfbfdcfce2480a4f18b20007517df2091f differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/8e9be7e9f0de2874707245ee200bfb971a646ba9 b/testing/hosts/winnetou/etc/openssl/certs/8e9be7e9f0de2874707245ee200bfb971a646ba9 new file mode 100644 index 000000000..ab91cd3d1 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/8e9be7e9f0de2874707245ee200bfb971a646ba9 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/9ff39ec266e309f2b53748a4fe0cfd3923955ff4 b/testing/hosts/winnetou/etc/openssl/certs/9ff39ec266e309f2b53748a4fe0cfd3923955ff4 new file mode 100644 index 000000000..9e4bb373d Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/9ff39ec266e309f2b53748a4fe0cfd3923955ff4 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/a91bb369a86604673f42f25b3fc94422eb73afd5 b/testing/hosts/winnetou/etc/openssl/certs/a91bb369a86604673f42f25b3fc94422eb73afd5 new file mode 100644 index 000000000..cfca39504 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/a91bb369a86604673f42f25b3fc94422eb73afd5 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/af19b02dcdc28a4e86d1657b656f0cac63b5474b b/testing/hosts/winnetou/etc/openssl/certs/af19b02dcdc28a4e86d1657b656f0cac63b5474b new file mode 100644 index 000000000..891800d67 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/af19b02dcdc28a4e86d1657b656f0cac63b5474b differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/b15a2fbbd5613781df896d28f82e4b0893011530 b/testing/hosts/winnetou/etc/openssl/certs/b15a2fbbd5613781df896d28f82e4b0893011530 new file mode 100644 index 000000000..8137fc7fa Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/b15a2fbbd5613781df896d28f82e4b0893011530 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/bb027269812f2cb0c1ba534c0016b7f33bdca83f b/testing/hosts/winnetou/etc/openssl/certs/bb027269812f2cb0c1ba534c0016b7f33bdca83f new file mode 100644 index 000000000..804030056 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/bb027269812f2cb0c1ba534c0016b7f33bdca83f differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/cedd2d5985ee0efde7acb2f788ed1a4237197d01 b/testing/hosts/winnetou/etc/openssl/certs/cedd2d5985ee0efde7acb2f788ed1a4237197d01 new file mode 100644 index 000000000..0fcc92de4 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/cedd2d5985ee0efde7acb2f788ed1a4237197d01 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/e07015ca76fba1039b247ce96c214bb038539cc8 b/testing/hosts/winnetou/etc/openssl/certs/e07015ca76fba1039b247ce96c214bb038539cc8 new file mode 100644 index 000000000..b928af4da Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/e07015ca76fba1039b247ce96c214bb038539cc8 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/e08213ec6a79e05c86a6f8a378eb4d5086352a7b b/testing/hosts/winnetou/etc/openssl/certs/e08213ec6a79e05c86a6f8a378eb4d5086352a7b new file mode 100644 index 000000000..7afadad25 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/e08213ec6a79e05c86a6f8a378eb4d5086352a7b differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/f2595dbd1ee26d9df0e8c5beae47875c68b97b4c b/testing/hosts/winnetou/etc/openssl/certs/f2595dbd1ee26d9df0e8c5beae47875c68b97b4c new file mode 100644 index 000000000..0fd84ad38 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/f2595dbd1ee26d9df0e8c5beae47875c68b97b4c differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/research/0855c55d208f71747b88da0fabcce348be495ac0 b/testing/hosts/winnetou/etc/openssl/certs/research/0855c55d208f71747b88da0fabcce348be495ac0 new file mode 100644 index 000000000..7a0c66f34 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/research/0855c55d208f71747b88da0fabcce348be495ac0 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/research/29d8bec44f188d61072bad52bfaf6f8553342f15 b/testing/hosts/winnetou/etc/openssl/certs/research/29d8bec44f188d61072bad52bfaf6f8553342f15 new file mode 100644 index 000000000..a82b76e5e Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/research/29d8bec44f188d61072bad52bfaf6f8553342f15 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/research/91b2e4f8a1612a34c646fb8320aaf374cc78ab7b b/testing/hosts/winnetou/etc/openssl/certs/research/91b2e4f8a1612a34c646fb8320aaf374cc78ab7b new file mode 100644 index 000000000..dd144594f Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/research/91b2e4f8a1612a34c646fb8320aaf374cc78ab7b differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/research/fc384911d10e35814a20c92642873925eada85c3 b/testing/hosts/winnetou/etc/openssl/certs/research/fc384911d10e35814a20c92642873925eada85c3 new file mode 100644 index 000000000..6a41d41f0 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/research/fc384911d10e35814a20c92642873925eada85c3 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/sales/3f24becda29cf44f0e4e89f894b925ab7e7a0aac b/testing/hosts/winnetou/etc/openssl/certs/sales/3f24becda29cf44f0e4e89f894b925ab7e7a0aac new file mode 100644 index 000000000..83ae4280f Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/sales/3f24becda29cf44f0e4e89f894b925ab7e7a0aac differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/sales/937fb1c8fa8bb3b169c63c8f77562592e44cfb32 b/testing/hosts/winnetou/etc/openssl/certs/sales/937fb1c8fa8bb3b169c63c8f77562592e44cfb32 new file mode 100644 index 000000000..e0c092d4d Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/sales/937fb1c8fa8bb3b169c63c8f77562592e44cfb32 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/sales/a4317f76f97afb3b6308c4b3496eb09d9efeed00 b/testing/hosts/winnetou/etc/openssl/certs/sales/a4317f76f97afb3b6308c4b3496eb09d9efeed00 new file mode 100644 index 000000000..3bc7c777b Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/sales/a4317f76f97afb3b6308c4b3496eb09d9efeed00 differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/sales/fcc1991dae2d8444c841c386e1921c59882afcf2 b/testing/hosts/winnetou/etc/openssl/certs/sales/fcc1991dae2d8444c841c386e1921c59882afcf2 new file mode 100644 index 000000000..63294efab Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/sales/fcc1991dae2d8444c841c386e1921c59882afcf2 differ diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/.rand b/testing/hosts/winnetou/etc/openssl/ecdsa/.rand new file mode 100644 index 000000000..ff05826f2 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/ecdsa/.rand differ diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber b/testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber new file mode 100644 index 000000000..64969239d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber @@ -0,0 +1 @@ +04 diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber.old b/testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber.old new file mode 100644 index 000000000..75016ea36 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/crlnumber.old @@ -0,0 +1 @@ +03 diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt new file mode 100644 index 000000000..1e0540f94 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt @@ -0,0 +1,4 @@ +V 130621144307Z 01 unknown /C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org +R 130621161252Z 080622162459Z 02 unknown /C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org +V 130621161359Z 03 unknown /C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org +V 130621162918Z 04 unknown /C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr.old new file mode 100644 index 000000000..3a7e39e6e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = no diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old new file mode 100644 index 000000000..a41b4599f --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt.old @@ -0,0 +1,3 @@ +V 130621144307Z 01 unknown /C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org +R 130621161252Z 080622162459Z 02 unknown /C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org +V 130621161359Z 03 unknown /C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/01.pem new file mode 100644 index 000000000..5178c7f38 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/01.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO +PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs +5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9 +BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX +Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU +Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu +j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD +VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG +SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt +l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH +mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD +CI9WpQ== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/02.pem new file mode 100644 index 000000000..69f8841c9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/02.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCAk6gAwIBAgIBAjAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYxMjUyWhcNMTMwNjIxMTYxMjUyWjBfMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwVjAQBgcqhkjO +PQIBBgUrgQQACgNCAAQlXpPktKrfBWubyHuZOa6qs6oZEOyEvg2564RRwATbgbco +dyhpdDd4LAZSIcDznicaFnyAFXcH7petwggbFxY+o4IBFDCCARAwCQYDVR0TBAIw +ADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFKlXB+yOT1OKIF6OJJARCE2ehUfoMHgG +A1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQGEwJD +SDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dh +biBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ryb25n +c3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2Fu +Lm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GKADCBhgJBAUi8pORy +e8TjdVVGpvnMAyCfbY6XvMtn8leLAF1RLNGLvW9vYnpTJYwlFVQlnHDNp+bbVwfw +BxjbM3jZjh6IgWwCQVYJayzuhboLCs18sgr+VqOCEuVhVpDolGUFnP4427/6bQsq +hY98yakkyYM6xIHd7phMDg1v5ufWt0e/2Vp7r+v6 +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/03.pem new file mode 100644 index 000000000..075d8f1e5 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/03.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y +IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA +zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G +A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1 +atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai +dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw +MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj +LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH +ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/ +wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv +g+Z+grJzTppAqpwRpg== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/04.pem new file mode 100644 index 000000000..29709926a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/04.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS +4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T +BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9 +MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+ +sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx +ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn +s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf new file mode 100644 index 000000000..6da2682b3 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf @@ -0,0 +1,184 @@ +# openssl.cnf - OpenSSL configuration file for the ZHW PKI +# Mario Strasser +# +# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $ +# + +# This definitions were set by the ca_init script DO NOT change +# them manualy. +CAHOME = /etc/openssl/ecdsa +RANDFILE = $CAHOME/.rand + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] +SmartcardLogin = 1.3.6.1.4.1.311.20.2 +ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 + +#################################################################### + +[ ca ] +default_ca = root_ca # The default ca section + +#################################################################### + +[ root_ca ] + +dir = $CAHOME +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/strongswan_ecCert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +crlnumber = $dir/crlnumber # The current CRL serial number +private_key = $dir/strongswan_ecKey.pem # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = host_ext # The extentions to add to the cert + +crl_extensions = crl_ext # The extentions to add to the CRL + +default_days = 1825 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha256 # which md to use. +preserve = no # keep passed DN ordering +email_in_dn = no # allow/forbid EMail in DN + +policy = policy_match # specifying how similar the request must look + +#################################################################### + +# the 'match' policy +[ policy_match ] +countryName = match +stateOrProvinceName = optional +localityName = optional +organizationName = match +organizationalUnitName = optional +userId = optional +serialNumber = optional +commonName = supplied +emailAddress = optional + +# the 'anything' policy +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ca_ext # The extentions to add to the self signed cert +# req_extensions = v3_req # The extensions to add to a certificate request + + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +#################################################################### + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +#stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = ZH + +#localityName = Locality Name (eg, city) +#localityName_default = Winterthur + +organizationName = Organization Name (eg, company) +organizationName_default = Linux strongSwan + +0.organizationalUnitName = Organizational Unit Name (eg, section) +#0.organizationalUnitName_default = Research + +#1.organizationalUnitName = Type (eg, Staff) +#1.organizationalUnitName_default = Staff + +#userId = UID + +commonName = Common Name (eg, YOUR name) +commonName_default = $ENV::COMMON_NAME +commonName_max = 64 + +#0.emailAddress = Email Address (eg, foo@bar.com) +#0.emailAddress_min = 0 +#0.emailAddress_max = 40 + +#1.emailAddress = Second Email Address (eg, foo@bar.com) +#1.emailAddress_min = 0 +#1.emailAddress_max = 40 + +#################################################################### + +[ req_attributes ] + +#################################################################### + +[ host_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigning +crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl + +#################################################################### + +[ user_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = email:$ENV::COMMON_NAME +#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 +crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_ec.crl + +#################################################################### + +[ ca_ext ] + +basicConstraints = critical, CA:TRUE +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always + +#################################################################### + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +#issuerAltName = issuer:copy +authorityKeyIdentifier = keyid:always, issuer:always + +# eof diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/serial b/testing/hosts/winnetou/etc/openssl/ecdsa/serial new file mode 100644 index 000000000..eeee65ec4 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/serial @@ -0,0 +1 @@ +05 diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/serial.old b/testing/hosts/winnetou/etc/openssl/ecdsa/serial.old new file mode 100644 index 000000000..64969239d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/serial.old @@ -0,0 +1 @@ +04 diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecCert.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecKey.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecKey.pem new file mode 100644 index 000000000..4a3b7c479 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/strongswan_ecKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHbAgEBBEFJlQ5poxh00lP7dd/rWQe5grTgrFtUqguppHAY/JZL0eKNiS7PpAb8 +xLmROFGAUcpraen+l6K7GKEzTCh/uUeeFaAHBgUrgQQAI6GBiQOBhgAEARTHU2+M +0rNsMdpE8yyoh//pJtSnMFrvw39YjIXqtiPx7kxwCp9N/NR8UllihCf+Zs/dV+M7 +FG4wOOuV+92AzHCTAUOKBZB8eDcIltLt5COM7UyvHEglS19JOcXb20yHohgx3Fpk +qWgIYI6umYYIZ3EPb8rChfVIDcGWeNo23uRJOieS +-----END EC PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl index 99274c0ba..199ecf10e 100755 --- a/testing/hosts/winnetou/etc/openssl/generate-crl +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -32,4 +32,7 @@ cd /etc/openssl/sales openssl ca -gencrl -crldays 15 -config /etc/openssl/sales/openssl.cnf -out crl.pem openssl crl -in crl.pem -outform der -out sales.crl cp sales.crl /var/www/localhost/htdocs/ - +cd /etc/openssl/ecdsa +openssl ca -gencrl -crldays 15 -config /etc/openssl/ecdsa/openssl.cnf -out crl.pem +openssl crl -in crl.pem -outform der -out strongswan_ec.crl +cp strongswan_ec.crl /var/www/localhost/htdocs/ diff --git a/testing/make-testing b/testing/make-testing index cf77a86d9..7d38af69e 100755 --- a/testing/make-testing +++ b/testing/make-testing @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: make-testing,v 1.4 2005/02/14 15:27:42 as Exp $ +# RCSID $Id: make-testing 3517 2008-03-01 10:25:52Z andreas $ DIR=`dirname $0` diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs index c73ce00d0..7cbfe9c97 100755 --- a/testing/scripts/build-umlhostfs +++ b/testing/scripts/build-umlhostfs @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: build-umlhostfs 3273 2007-10-08 20:18:34Z andreas $ +# RCSID $Id: build-umlhostfs 3935 2008-05-12 20:06:58Z andreas $ DIR=`dirname $0` @@ -65,11 +65,12 @@ do cecho-n "$host.." cp gentoo-fs gentoo-fs-$host mount -o loop gentoo-fs-$host $LOOPDIR - cp -rfp $BUILDDIR/hosts/${host}/etc $LOOPDIR + cp -rf $BUILDDIR/hosts/${host}/etc $LOOPDIR if [ "$host" = "winnetou" ] then mkdir $LOOPDIR/var/log/apache2/ocsp - cp -rfp $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs + cp -rf $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs + chroot $LOOPDIR ln -s /etc/openssl/certs /var/www/localhost/htdocs/certs chroot $LOOPDIR /etc/openssl/generate-crl >> $LOGFILE 2>&1 fi chroot $LOOPDIR /etc/init.d/depscan.sh --update >> $LOGFILE 2>&1 diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index 48d74950f..6a385dd28 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: build-umlrootfs 3471 2008-02-14 21:25:38Z andreas $ +# RCSID $Id: build-umlrootfs 4035 2008-06-05 07:25:27Z andreas $ DIR=`dirname $0` @@ -129,11 +129,10 @@ echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL echo -n "./configure --sysconfdir=/etc" >> $INSTALLSHELL echo -n " --with-random-device=/dev/urandom" >> $INSTALLSHELL -echo -n " --enable-integrity-test" >> $INSTALLSHELL if [ "$USE_LIBCURL" = "yes" ] then - echo -n " --enable-http" >> $INSTALLSHELL + echo -n " --enable-curl" >> $INSTALLSHELL fi if [ "$USE_LDAP" = "yes" ] @@ -151,11 +150,31 @@ then echo -n " --enable-eap-sim" >> $INSTALLSHELL fi -if [ "$USE_P2P" = "yes" ] +if [ "$USE_EAP_MD5" = "yes" ] then - echo -n " --enable-p2p" >> $INSTALLSHELL + echo -n " --enable-eap-md5" >> $INSTALLSHELL + fi + +if [ "$USE_SQL" = "yes" ] +then + echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL + fi + +if [ "$USE_MEDIATION" = "yes" ] +then + echo -n " --enable-mediation" >> $INSTALLSHELL +fi + +if [ "$USE_OPENSSL" = "yes" ] +then + echo -n " --enable-openssl" >> $INSTALLSHELL fi +if [ "$USE_INTEGRITY_TEST" = "yes" ] +then + echo -n " --enable-integrity-test" >> $INSTALLSHELL +fi + if [ "$USE_LEAK_DETECTIVE" = "yes" ] then echo -n " --enable-leak-detective" >> $INSTALLSHELL @@ -171,6 +190,12 @@ chroot $LOOPDIR /bin/bash /install.sh >> $LOGFILE 2>&1 rm -f $INSTALLSHELL cgecho "done" +###################################################### +# copying default /etc/ipsec.d/tables.sql to the root filesystem +# +cecho " * Copying '$HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql' to the root filesystem" +cp -fp $HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql $LOOPDIR/etc/ipsec.d/tables.sql + ###################################################### # copying the host's ssh public key # diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls new file mode 100755 index 000000000..40869d0a8 --- /dev/null +++ b/testing/scripts/gstart-umls @@ -0,0 +1,127 @@ +#!/bin/bash +# starts the UML instances in an gnome-terminal (requires X11R6) +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: gstart-umls 3912 2008-05-08 08:22:07Z andreas $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +BOOTING_HOSTS="" +count_max=12 +count=0 + +#position of xterm window on the desktop +x0=8 +y0=52 +dx=12 +dy=24 + +for host in $HOSTS +do + up=0 + + if [ -d ~/.uml/${host} ] + then + pid=`cat ~/.uml/${host}/pid` + up=`ps up $pid | wc -l` + fi + + if [ $up -eq 2 ] + then + cecho " * Great, ${host} is already running!" + else + rm -rf ~/.uml/${host} + BOOTING_HOSTS="$BOOTING_HOSTS ${host}" + let "count_max += 12" + + UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host} + [ -f $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found" + + cecho-n " * Starting ${host}.." + eval gnome-terminal --title=${host} --geometry="+${x0}+${y0}" --show-menubar --execute "$UMLKERNEL \ + umid=${host} \ + ubda=$UMLHOSTFS \ + \$SWITCH_${host} \ + mem=${MEM}M con=pty con0=fd:0,fd:1" & + cgecho "done" + fi + let "x0+=dx" + let "y0+=dy" + sleep 15 +done + +if [ -z "$BOOTING_HOSTS" ] +then + exit 0 +fi + +cecho " * Waiting for the uml instances to finish booting" + +for host in $BOOTING_HOSTS +do + cecho-n " * Checking on $host.." + + while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ] + do + cecho-n "." + sleep 5 + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + fi + + up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l` + + while [ $count -lt $count_max ] && [ $up -eq 0 ] + do + cecho-n "." + sleep 5 + up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l` + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + else + cgecho "up" + fi + + if [ "$host" = "alice" ] + then + eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" + ssh root@$ipv4_alice /etc/init.d/net.eth1 stop + fi +done + +cecho " * All uml instances are up now" diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls index b953ddeac..62cbf83cf 100755 --- a/testing/scripts/kstart-umls +++ b/testing/scripts/kstart-umls @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: kstart-umls 3470 2008-02-14 21:24:54Z andreas $ +# RCSID $Id: kstart-umls 3514 2008-02-29 17:00:07Z andreas $ DIR=`dirname $0` @@ -120,7 +120,7 @@ do if [ "$host" = "alice" ] then eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" - ssh $ipv4_alice /etc/init.d/net.eth1 stop + ssh root@$ipv4_alice /etc/init.d/net.eth1 stop fi done diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig index e4dd63d59..873e4d1ee 100755 --- a/testing/scripts/load-testconfig +++ b/testing/scripts/load-testconfig @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: load-testconfig 3273 2007-10-08 20:18:34Z andreas $ +# RCSID $Id: load-testconfig 3935 2008-05-12 20:06:58Z andreas $ DIR=`dirname $0` @@ -47,7 +47,7 @@ then for host in `ls $TESTSDIR/$testname/hosts` do eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" - scp -rp $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1 + scp -r $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1 done fi diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults index dc2ebb312..3af0ec665 100755 --- a/testing/scripts/restore-defaults +++ b/testing/scripts/restore-defaults @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: restore-defaults 3273 2007-10-08 20:18:34Z andreas $ +# RCSID $Id: restore-defaults 3935 2008-05-12 20:06:58Z andreas $ DIR=`dirname $0` @@ -48,6 +48,6 @@ then for host in `ls $TESTSDIR/${testname}/hosts` do eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" - scp -rp $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1 + scp -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1 done fi diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches index 118a2250e..eb3fa4742 100755 --- a/testing/scripts/start-switches +++ b/testing/scripts/start-switches @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: start-switches 3273 2007-10-08 20:18:34Z andreas $ +# RCSID $Id: start-switches 3590 2008-03-13 14:20:20Z martin $ DIR=`dirname $0` diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls index 50cd65da4..7490cdf0b 100755 --- a/testing/scripts/start-umls +++ b/testing/scripts/start-umls @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: start-umls 3273 2007-10-08 20:18:34Z andreas $ +# RCSID $Id: start-umls 3590 2008-03-13 14:20:20Z martin $ DIR=`dirname $0` @@ -107,6 +107,12 @@ do else cgecho "up" fi + + if [ "$host" = "alice" ] + then + eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" + ssh root@$ipv4_alice /etc/init.d/net.eth1 stop + fi done cecho " * All uml instances are up now" diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls index 8cd76c133..8d2a70c4d 100755 --- a/testing/scripts/xstart-umls +++ b/testing/scripts/xstart-umls @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: xstart-umls 3273 2007-10-08 20:18:34Z andreas $ +# RCSID $Id: xstart-umls 3590 2008-03-13 14:20:20Z martin $ DIR=`dirname $0` @@ -116,6 +116,12 @@ do else cgecho "up" fi + + if [ "$host" = "alice" ] + then + eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" + ssh root@$ipv4_alice /etc/init.d/net.eth1 stop + fi done cecho " * All uml instances are up now" diff --git a/testing/start-testing b/testing/start-testing index 28f9c3bf5..3f8cf718e 100755 --- a/testing/start-testing +++ b/testing/start-testing @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: start-testing,v 1.4 2004/12/07 18:04:57 as Exp $ +# RCSID $Id: start-testing 3517 2008-03-01 10:25:52Z andreas $ DIR=`dirname $0` diff --git a/testing/stop-testing b/testing/stop-testing index 013bf793c..c870a8b0b 100755 --- a/testing/stop-testing +++ b/testing/stop-testing @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: stop-testing,v 1.3 2004/12/07 18:04:57 as Exp $ +# RCSID $Id: stop-testing 3517 2008-03-01 10:25:52Z andreas $ DIR=`dirname $0` diff --git a/testing/testing.conf b/testing/testing.conf index 7665f877a..ae4bc92ae 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -14,40 +14,45 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $ +# RCSID $Id: testing.conf 4022 2008-05-28 14:13:40Z andreas $ # Root directory of testing UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.23.11.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.26-rc3.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` # Kernel configuration file -KERNELCONFIG=$UMLTESTDIR/.config-2.6.23 +KERNELCONFIG=$UMLTESTDIR/.config-2.6.26 # Bzipped uml patch for kernel # (not needed anymore for 2.6.9 kernel or higher) #UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.1.10.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.2.4.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" USE_LDAP="yes" USE_EAP_AKA="yes" -USE_P2P="yes" +USE EAP_SIM="yes" +USE_EAP_MD5="yes" +USE_SQL="yes" +USE_MEDIATION="yes" +USE_OPENSSL="yes" +USE_INTEGRITY_TEST="no" USE_LEAK_DETECTIVE="no" # Gentoo linux root filesystem -ROOTFS=$UMLTESTDIR/gentoo-fs-20071108.tar.bz2 +ROOTFS=$UMLTESTDIR/gentoo-fs-20080407.tar.bz2 # Size of the finished root filesystem in MB -ROOTFSSIZE=544 +ROOTFSSIZE=600 # Amount of Memory to use per UML [MB]. # If "auto" is stated 1/12 of total host ram will be used. @@ -87,8 +92,10 @@ ENABLE_STOP_TESTING="no" ############################################################## # How to start the UMLs? # -# Start the UML instance in KDE konsole (requires KDE) -UMLSTARTMODE="konsole" +# Start the UML instance in a KDE konsole (requires KDE) +# UMLSTARTMODE="konsole" +# Start the UML instance in a gnome-terminal (requires gnome) +UMLSTARTMODE="gnome-terminal" # Start the UML instance in an xterm (requires X11R6) # UMLSTARTMODE="xterm" # Start the UML instance without a terminal window diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat index a9c9b803a..a2ae3ff6b 100644 --- a/testing/tests/ikev1/alg-blowfish/evaltest.dat +++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat @@ -1,9 +1,10 @@ - carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(blowfish)::YES +moon::ip xfrm state::enc cbc(blowfish)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat index 6b792538b..ffca0e7a0 100644 --- a/testing/tests/ikev1/alg-serpent/evaltest.dat +++ b/testing/tests/ikev1/alg-serpent/evaltest.dat @@ -1,9 +1,10 @@ - carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(serpent)::YES +moon::ip xfrm state::enc cbc(serpent)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat index 9b4caa278..42d0099eb 100644 --- a/testing/tests/ikev1/alg-sha2_256/evaltest.dat +++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat @@ -1,9 +1,11 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ip xfrm state::auth hmac(sha256)::YES +moon::ip xfrm state::auth hmac(sha256)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat index 0568eec6e..69e9267c3 100644 --- a/testing/tests/ikev1/alg-twofish/evaltest.dat +++ b/testing/tests/ikev1/alg-twofish/evaltest.dat @@ -1,8 +1,10 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(twofish)::YES +moon::ip xfrm state::enc cbc(twofish)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt new file mode 100644 index 000000000..fef0ac2dd --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +AES_256/AES_XCBC_MAC by defining esp=aes256-aesxcbc-modp2048 +in ipsec.conf. A ping from carol to alice successfully checks +the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat new file mode 100644 index 000000000..f464bda65 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES +moon::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES +carol::ip xfrm state::auth xcbc(aes)::YES +moon::ip xfrm state::auth xcbc(aes)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ed905d05f --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes256-sha2_256-modp2048! + esp=aes256-aesxcbc! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f1b7ff56d --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes256-sha2_256-modp2048! + esp=aes256-aesxcbc! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-alg-camellia/description.txt b/testing/tests/ikev1/esp-alg-camellia/description.txt new file mode 100644 index 000000000..ead39f580 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +CAMELLIA_192/HMAC_SHA2_256 by defining esp=camellia192-sha2_256-modp2048 +in ipsec.conf. A ping from carol to alice successfully checks +the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat new file mode 100644 index 000000000..b2871dabd --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(camellia)::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..fe74cc285 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes192-sha2_256-modp2048! + esp=camellia192-sha2_256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..33871d484 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes192-sha2_256-modp2048! + esp=camellia192-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-camellia/posttest.dat b/testing/tests/ikev1/esp-alg-camellia/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-camellia/pretest.dat b/testing/tests/ikev1/esp-alg-camellia/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-camellia/test.conf b/testing/tests/ikev1/esp-alg-camellia/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/req-pkcs10/pretest.dat b/testing/tests/ikev1/req-pkcs10/pretest.dat index 18b8b16e6..cb4355efa 100644 --- a/testing/tests/ikev1/req-pkcs10/pretest.dat +++ b/testing/tests/ikev1/req-pkcs10/pretest.dat @@ -16,6 +16,7 @@ winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/ winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/ +carol::sleep 2 carol::ipsec start moon::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat index 1b8fc3b79..4ac57ab16 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat @@ -2,3 +2,4 @@ carol::ipsec start moon::ipsec start carol::sleep 2 carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt new file mode 100644 index 000000000..24a4afe57 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +AES_CBC-256/AES_XCBC_96 by defining esp=aes256-aesxcbc-modp2048 +in ipsec.conf. The same cipher suite is used for IKE: ike=aes256-aesxcbc-modp2048. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat new file mode 100644 index 000000000..853746cd4 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES +carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES +moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES +carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES +moon::ip xfrm state::auth xcbc(aes)::YES +carol::ip xfrm state::auth xcbc(aes)::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..edd0aaaf8 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-aesxcbc-modp2048! + esp=aes256-aesxcbc-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..18618929f --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-aesxcbc-modp2048! + esp=aes256-aesxcbc-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/compress/description.txt b/testing/tests/ikev2/compress/description.txt new file mode 100644 index 000000000..47829839d --- /dev/null +++ b/testing/tests/ikev2/compress/description.txt @@ -0,0 +1,3 @@ +This scenario enables IPCOMP compression between roadwarrior carol and +gateway moon. Two pings from carol to alice checks +the established tunnel with compression. diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat new file mode 100644 index 000000000..279033f2b --- /dev/null +++ b/testing/tests/ikev2/compress/evaltest.dat @@ -0,0 +1,10 @@ +moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUPP)::YES +moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUPP)::YES +carol::ipsec status::home.*INSTALLED::YES +moon::ipsec status::rw.*INSTALLED::YES +moon::ip xfrm state::proto comp spi::YES +carol::ip xfrm state::proto comp spi::YES +carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..670a50c00 --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..91abfd4da --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev2/compress/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev2/compress/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/ikev2/compress/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf index 8458724c6..222673704 100755 --- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf @@ -13,7 +13,6 @@ conn %default keyexchange=ikev2 right=PH_IP_MOON rightsubnet=10.1.0.0/16 - rightsourceip=PH_IP_MOON1 rightcert=moonCert.pem rightid=@moon.strongswan.org rightfirewall=yes diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf index bafd1b155..bb558fe25 100755 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf @@ -13,7 +13,6 @@ conn %default keyexchange=ikev2 left=PH_IP_MOON leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat index 9aa53fb64..f15196024 100644 --- a/testing/tests/ikev2/crl-from-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat @@ -1,8 +1,10 @@ -moon::cat /var/log/daemon.log::loading crl file::YES -carol::cat /var/log/daemon.log::loading crl file::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/auth.log::written crl file::NO -carol::cat /var/log/auth.log::written crl file::NO +moon::cat /var/log/daemon.log::loaded crl file::YES +moon::cat /var/log/daemon.log::crl is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec listcrls:: ok::YES +carol::cat /var/log/daemon.log::loaded crl file::YES +carol::cat /var/log/daemon.log::crl is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES carol::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*ESTABLISHED::YES +carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat index 05e818e21..d98df8c7c 100644 --- a/testing/tests/ikev2/crl-ldap/evaltest.dat +++ b/testing/tests/ikev2/crl-ldap/evaltest.dat @@ -1,12 +1,12 @@ -moon::cat /var/log/daemon.log::loading crl file::YES -carol::cat /var/log/daemon.log::loading crl file::YES +moon::cat /var/log/daemon.log::loaded crl file::YES moon::cat /var/log/daemon.log::crl is stale::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES +moon::cat /var/log/daemon.log::crl is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::loaded crl file::YES carol::cat /var/log/daemon.log::crl is stale::YES -moon::cat /var/log/daemon.log::sending ldap request::YES -carol::cat /var/log/daemon.log::sending ldap request::YES +carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES +carol::cat /var/log/daemon.log::crl is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::written crl file::YES -carol::cat /var/log/daemon.log::written crl file::YES -moon::ipsec listcrls:: ok::YES -carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 3d6cf72bb..2242746db 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,6 +1,5 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::end entity certificate is not trusted::YES -carol::cat /var/log/daemon.log::AUTHENTICATION_FAILED::YES -moon::ipsec listcrls:: ok::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat index 14edd946f..00489436e 100644 --- a/testing/tests/ikev2/crl-to-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat @@ -1,4 +1,4 @@ moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES -carol::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +moon::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat index fe68be4b5..88f9a2ca9 100644 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ b/testing/tests/ikev2/default-keys/pretest.dat @@ -10,7 +10,7 @@ moon::rm /etc/ipsec.d/private/* moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/cacerts/* moon::ipsec start -moon::sleep 3 +moon::sleep 5 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der moon::ipsec reload diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt new file mode 100644 index 000000000..cb08a9312 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +AES_CCM_12-128 by defining esp=aes128gcm12-modp2048 or alternatively +esp=aes128gcm96-modp2048 in ipsec.conf. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat new file mode 100644 index 000000000..dc5032133 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::AES_CCM_12-128::YES +carol::ipsec statusall::AES_CCM_12-128::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..85c825002 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ccm96-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..8f8404516 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ccm12-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt new file mode 100644 index 000000000..721f3c64b --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior carol proposes to gateway moon the ESP cipher suite +AES_GCM_16-256 by defining esp=aes256gcm16-modp2048 or alternatively +esp=aes256gcm128-modp2048 in ipsec.conf. +A ping from carol to alice successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat new file mode 100644 index 000000000..8f007b900 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::AES_GCM_16-256::YES +carol::ipsec statusall::AES_GCM_16-256::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..df2b7437d --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-aesxcbc-modp2048! + esp=aes256gcm128-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..661681105 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-aesxcbc-modp2048! + esp=aes256gcm16-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/description.txt b/testing/tests/ikev2/esp-alg-aesxcbc/description.txt deleted file mode 100644 index 0ea28a716..000000000 --- a/testing/tests/ikev2/esp-alg-aesxcbc/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior carol proposes to gateway moon the ESP cipher suite -AES_CBC-256/AES_XCBC_96 by defining esp=aes256-aesxcbc-modp2048 -in ipsec.conf. A ping from carol to alice successfully checks -the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat deleted file mode 100644 index 19b0b4378..000000000 --- a/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES -carol::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 25f8ce8b2..000000000 --- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048! - esp=aes256-aesxcbc-modp2048! - -conn home - left=PH_IP_CAROL - leftfirewall=yes - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 303a49152..000000000 --- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes256-sha256-modp2048! - esp=aes256-aesxcbc-modp2048! - -conn rw - left=PH_IP_MOON - leftfirewall=yes - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat deleted file mode 100644 index 94a400606..000000000 --- a/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat deleted file mode 100644 index f360351e1..000000000 --- a/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -carol::ipsec start -carol::sleep 1 -carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/test.conf b/testing/tests/ikev2/esp-alg-aesxcbc/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev2/esp-alg-aesxcbc/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat index 2dd58c9d7..b3cade48c 100644 --- a/testing/tests/ikev2/host2host-transport/evaltest.dat +++ b/testing/tests/ikev2/host2host-transport/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::received USE_TRANSPORT_MODE notify::YES +moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES moon::ip xfrm state::mode transport::YES diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-db/description.txt b/testing/tests/ikev2/ip-pool-db/description.txt new file mode 100644 index 000000000..5cc500c98 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv2 configuration payload +by using the leftsourceip=%config parameter. The gateway moon assigns virtual IP +addresses from a pool named bigpool that was created in an SQL database by the command +ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0. +

+leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnels, carol and dave then ping the client +alice behind the gateway moon. The source IP addresses of the two pings will be the +virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat new file mode 100644 index 000000000..07d17b338 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::assigning lease with new address from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b3413830f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=%bigpool + auto=add diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat new file mode 100644 index 000000000..5d26cbbbc --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::ipsec pool --del bigpool +moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat new file mode 100644 index 000000000..78ba3f581 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -0,0 +1,13 @@ +moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0 +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-pool-wish/description.txt b/testing/tests/ikev2/ip-pool-wish/description.txt new file mode 100644 index 000000000..a5487169a --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request the same virtual IP via the IKEv2 +configuration payload by using the leftsourceip=PH_IP_DAVE1 parameter. On a first-come, +first-served basis, dave gets PH_IP_DAVE1 from the simple address pool managed +by gateway moon and carol gets the first free address PH_IP_CAROL1 +from the pool. +

+leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, carol and dave then ping +the client alice behind the gateway moon. The source IP addresses of the two +pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat new file mode 100644 index 000000000..19e6783af --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat @@ -0,0 +1,23 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::adding virtual IP address pool::YES +moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5f93b3987 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=PH_IP_DAVE1 + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..b58ba5460 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=PH_IP_DAVE1 + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..0b4cded6c --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat new file mode 100644 index 000000000..519c81a31 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +dave::ipsec start +carol::ipsec start +moon::ipsec start +dave::sleep 2 +dave::ipsec up home +carol::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-pool/description.txt b/testing/tests/ikev2/ip-pool/description.txt new file mode 100644 index 000000000..fc3f8c63a --- /dev/null +++ b/testing/tests/ikev2/ip-pool/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +Both carol and dave request a virtual IP via the IKEv2 configuration payload +by using the leftsourceip=%config parameter. The gateway moon assigns virtual +IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously +increasing order. +

+leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, carol and dave then ping +the client alice behind the gateway moon. The source IP addresses of the two +pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat new file mode 100644 index 000000000..15ca7426f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/evaltest.dat @@ -0,0 +1,23 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::adding virtual IP address pool::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..0b4cded6c --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/ip-pool/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat new file mode 100644 index 000000000..014e80517 --- /dev/null +++ b/testing/tests/ikev2/ip-pool/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-pool/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat index 541b218d0..f2758eb35 100644 --- a/testing/tests/ikev2/mobike-nat/evaltest.dat +++ b/testing/tests/ikev2/mobike-nat/evaltest.dat @@ -10,7 +10,9 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP::YES -moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP::YES +sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES +sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES +moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES +moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES bob::tcpdump::10.3.0.3.*bob.strongswan.org.*ICMP echo request::YES bob::tcpdump::bob.strongswan.org.*10.3.0.3.*ICMP echo reply::YES diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf index e9abfdac8..5c93d1462 100755 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf @@ -14,7 +14,7 @@ conn %default conn mobike left=PH_IP_ALICE1 - leftsourceip=10.3.0.3 + leftsourceip=%config leftcert=aliceCert.pem leftid=alice@strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf index 6944749be..d6121511e 100755 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf @@ -19,6 +19,6 @@ conn mobike leftfirewall=yes leftsubnet=10.2.0.0/16 right=%any - rightsourceip=%config + rightsourceip=10.3.0.3 rightid=alice@strongswan.org auto=add diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf index 6467631e5..24a0cf3a4 100644 --- a/testing/tests/ikev2/mobike-nat/test.conf +++ b/testing/tests/ikev2/mobike-nat/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png" # UML instances on which tcpdump is to be started # -TCPDUMPHOSTS="bob moon" +TCPDUMPHOSTS="bob moon sun" # UML instances on which IPsec is started # Used for IPsec logging purposes diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat index 5be507d2e..94dea0b14 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat +++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat @@ -10,7 +10,9 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES -moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES +sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES +sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES +moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES +moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP.*seq=0x2::YES bob::tcpdump::10.3.0.3.*bob.strongswan.org.*ICMP echo request::YES bob::tcpdump::bob.strongswan.org.*10.3.0.3.*ICMP echo reply::YES diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf index e9abfdac8..5c93d1462 100755 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf @@ -14,7 +14,7 @@ conn %default conn mobike left=PH_IP_ALICE1 - leftsourceip=10.3.0.3 + leftsourceip=%config leftcert=aliceCert.pem leftid=alice@strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf index 64a659f4f..18a67cde0 100755 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf @@ -19,6 +19,6 @@ conn mobike leftfirewall=yes leftsubnet=10.2.0.0/16 right=PH_IP_ALICE1 - rightsourceip=%config + rightsourceip=10.3.0.3 rightid=alice@strongswan.org auto=add diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf index 6467631e5..24a0cf3a4 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/test.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png" # UML instances on which tcpdump is to be started # -TCPDUMPHOSTS="bob moon" +TCPDUMPHOSTS="bob moon sun" # UML instances on which IPsec is started # Used for IPsec logging purposes diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat index 10bb37e42..6c49c0425 100644 --- a/testing/tests/ikev2/mobike/evaltest.dat +++ b/testing/tests/ikev2/mobike/evaltest.dat @@ -10,8 +10,10 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES -moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES +sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES +sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES +moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES +moon::tcpdump::sun.strongswan.org.*alice.strongswan.org: ESP.*seq=0x2::YES bob::tcpdump::alice1.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES bob::tcpdump::bob.strongswan.org.*alice1.strongswan.org.*ICMP echo reply::YES bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf index 6467631e5..24a0cf3a4 100644 --- a/testing/tests/ikev2/mobike/test.conf +++ b/testing/tests/ikev2/mobike/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png" # UML instances on which tcpdump is to be started # -TCPDUMPHOSTS="bob moon" +TCPDUMPHOSTS="bob moon sun" # UML instances on which IPsec is started # Used for IPsec logging purposes diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat index 00cafc130..ca0bdba44 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat @@ -1,11 +1,20 @@ -moon::cat /var/log/daemon.log::sending ldap request to::YES -moon::cat /var/log/daemon.log::received valid ldap response::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES +moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES +dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO - diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat index 1e52d2273..3ac0adbb5 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat @@ -1,6 +1,4 @@ -moon::ipsec listcacerts --utc::status revoked on::YES moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::received end entity certificate is not trusted::YES moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::alice.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf index 9b331f0a9..ef1beae7e 100755 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -5,6 +5,11 @@ config setup strictcrlpolicy=yes plutostart=no +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index 6cb0bd8ae..e4eafe966 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -1,12 +1,20 @@ +moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf index e1ee6e8d6..d0240a333 100755 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - charondebug="cfg 2" crlcheckinterval=180 strictcrlpolicy=no plutostart=no diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-double-snat/description.txt b/testing/tests/ikev2/nat-double-snat/description.txt deleted file mode 100644 index e0708898b..000000000 --- a/testing/tests/ikev2/nat-double-snat/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarrior alice sets up a connection to host bob using IKEv2. The hosts -sit behind NAT router moon (SNAT) and sun (SNAT) respectively. -UDP encapsulation is used to traverse the NAT router. -The authentication is based on locally loaded X.509 certificates. -In order to test the tunnel the NAT-ed host alice pings the host -bob. diff --git a/testing/tests/ikev2/nat-double-snat/evaltest.dat b/testing/tests/ikev2/nat-double-snat/evaltest.dat deleted file mode 100644 index 7a3dede42..000000000 --- a/testing/tests/ikev2/nat-double-snat/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -bob::ipsec statusall::rw-alice.*ESTABLISHED::YES -alice::ipsec statusall::home.*ESTABLISHED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdumpcount::IP moon.strongswan.org.* > bob.strongswan.org.ipsec-nat-t: UDP::2 -moon::tcpdumpcount::IP bob.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::2 diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 30a067bc9..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn home - left=PH_IP_ALICE - leftcert=aliceCert.pem - leftid=alice@strongswan.org - right=PH_IP_BOB - rightcert=bobCert.pem - rightid=bob@strongswan.org - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem deleted file mode 100644 index 199d3eee2..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY -27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB -fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg -xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF -ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E -5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ -BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl -+27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ -BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz -dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u -b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv -c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z -TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq -0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI -5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN -NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw -7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE -Mto= ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf deleted file mode 100644 index eaec3d642..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn %default - left=PH_IP_BOB - leftcert=bobCert.pem - leftid=bob@strongswan.org - leftsubnet=10.2.0.10/32 - keyexchange=ikev2 - -conn rw-alice - right=%any - rightcert=aliceCert.pem - rightid=alice@strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem deleted file mode 100644 index e99ae8ec7..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz -MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer -GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 -FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W -6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH -v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc -KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG -A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa -60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 -cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu -Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo -2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ -AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 -D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S -CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi -6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re -JGhV ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-double-snat/posttest.dat b/testing/tests/ikev2/nat-double-snat/posttest.dat deleted file mode 100644 index 8ad7df96c..000000000 --- a/testing/tests/ikev2/nat-double-snat/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -alice::ipsec stop -bob::ipsec stop -alice::rm /etc/ipsec.d/certs/* -bob::rm /etc/ipsec.d/certs/* -moon::route del -net 10.2.0.0/16 -sun::route del -net 10.1.0.0/16 -moon::iptables -t nat -F -sun::iptables -t nat -F diff --git a/testing/tests/ikev2/nat-double-snat/pretest.dat b/testing/tests/ikev2/nat-double-snat/pretest.dat deleted file mode 100644 index da1d43c4e..000000000 --- a/testing/tests/ikev2/nat-double-snat/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -sun::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::route add -net 10.1.0.0/16 gw PH_IP_MOON -sun::iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p udp -j SNAT --to-source PH_IP_SUN1:4024-4100 -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::route add -net 10.2.0.0/16 gw PH_IP_SUN -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 -bob::ipsec start -alice::ipsec start -alice::sleep 1 -alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/nat-double-snat/test.conf b/testing/tests/ikev2/nat-double-snat/test.conf deleted file mode 100644 index 1ca2ffe5a..000000000 --- a/testing/tests/ikev2/nat-double-snat/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice bob" diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-pf/description.txt b/testing/tests/ikev2/nat-pf/description.txt deleted file mode 100644 index bb38af458..000000000 --- a/testing/tests/ikev2/nat-pf/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -The roadwarrior carol sets up a connection to host alice sitting behind the NAT router moon -using IKEv2. Port Forwarding is used to publish host alice. UDP encapsulation is used to traverse the NAT router. -The authentication is based on locally loaded X.509 certificates. -In order to test the tunnel the roadwarrior carol pings the host alice. diff --git a/testing/tests/ikev2/nat-pf/evaltest.dat b/testing/tests/ikev2/nat-pf/evaltest.dat deleted file mode 100644 index 4d2950521..000000000 --- a/testing/tests/ikev2/nat-pf/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -alice::ipsec statusall::rw-carol.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdumpcount::IP carol.strongswan.org.* > moon.strongswan.org.ipsec-nat-t: UDP::2 -moon::tcpdumpcount::IP moon.strongswan.org.ipsec-nat-t > carol.strongswan.org.*: UDP::2 diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 836379494..000000000 --- a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn %default - left=PH_IP_ALICE - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftsubnet=10.1.0.10/32 - keyexchange=ikev2 - -conn rw-carol - right=%any - rightcert=carolCert.pem - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 8492fbd45..000000000 --- a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX -T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl -vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii -S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW -LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM -YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD -j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI -U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM -2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE -HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd -hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG -C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK -omBYfxqp ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 52345af7c..000000000 --- a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightcert=aliceCert.pem - rightid=alice@strongswan.org - rightsubnet=10.1.0.0/24 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem deleted file mode 100644 index e99ae8ec7..000000000 --- a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz -MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer -GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 -FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W -6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH -v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc -KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG -A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa -60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 -cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu -Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo -2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ -AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 -D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S -CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi -6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re -JGhV ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-pf/posttest.dat b/testing/tests/ikev2/nat-pf/posttest.dat deleted file mode 100644 index bed4ae1b7..000000000 --- a/testing/tests/ikev2/nat-pf/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec stop -alice::ipsec stop -carol::rm /etc/ipsec.d/certs/* -alice::rm /etc/ipsec.d/certs/* -moon::iptables -t nat -F diff --git a/testing/tests/ikev2/nat-pf/pretest.dat b/testing/tests/ikev2/nat-pf/pretest.dat deleted file mode 100644 index fdb3de711..000000000 --- a/testing/tests/ikev2/nat-pf/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -m multiport -t nat -A PREROUTING -i eth0 -p udp --dports 500,4500 -j DNAT --to 10.1.0.10 -alice::ipsec start -carol::ipsec start -carol::sleep 1 -carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/nat-pf/test.conf b/testing/tests/ikev2/nat-pf/test.conf deleted file mode 100644 index 21bece8e6..000000000 --- a/testing/tests/ikev2/nat-pf/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice carol" diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat index 6b849b811..c08a17943 100644 --- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat @@ -1,8 +1,12 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status from::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat index 93d152f6b..768de938b 100644 --- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat @@ -1,9 +1,9 @@ moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES -dave::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::certificate status is good::YES +dave::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::YES carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index f185536a6..939817d58 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,5 +1,6 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response verification failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat index c6d6235f9..1af117cf0 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat @@ -1,2 +1,3 @@ moon::ipsec stop carol::ipsec stop +moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat index d92333d86..afb64c3ed 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat @@ -1,3 +1,4 @@ +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat index eacb70c40..2c3196103 100644 --- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat +++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat @@ -1,6 +1,7 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::certificate was revoked on::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat index a3a1df194..5bb322acc 100644 --- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat @@ -1,6 +1,10 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::requesting ocsp status::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt index 492a9882b..7c7efb68e 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/description.txt +++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt @@ -4,7 +4,7 @@ is checked via the OCSP server winnetou which possesses an OCSP signer ce issued by the strongSwan CA. This certificate contains an OCSPSigning extended key usage flag. carol's certificate includes an OCSP URI in an authority information access extension pointing to winnetou. -Therefore no special ca section information is needed in ipsec.conf. +Therefore no special ca section information is needed in moon's ipsec.conf.

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good. diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat index 4a8ffd412..f8bf0326a 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat @@ -1,13 +1,12 @@ -moon::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -carol::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::requesting ocsp status::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf index f8abd6b59..4011a6c17 100755 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf @@ -5,6 +5,11 @@ config setup strictcrlpolicy=yes plutostart=no +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + conn %default keyexchange=ikev2 ikelifetime=60m diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index 48f24aa8f..9f20ee81c 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,6 +1,7 @@ moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::authentication of.*dave.*failed::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::NO carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat index 4c4059810..777c32699 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat @@ -1,9 +1,13 @@ -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -carol::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES +moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::libcurl http request failed::YES +carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES +carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf index d95a322bd..ff312cc6b 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf @@ -7,7 +7,8 @@ config setup ca strongswan-ca cacert=strongswanCert.pem - ocspuri2=http://bob.strongswan.org:8800 + ocspuri1=http://bob.strongswan.org:8800 + ocspuri2=http://ocsp.strongswan.org:8880 auto=add conn %default diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat index c9c09a72f..1b281507b 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat @@ -1,5 +1,6 @@ -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index a0b6d681f..b47403756 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -1,5 +1,7 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is not trusted - rejected::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES +moon::cat /var/log/daemon.log::ocsp response verification failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat index c6d6235f9..1af117cf0 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat @@ -1,2 +1,3 @@ moon::ipsec stop carol::ipsec stop +moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat index d92333d86..afb64c3ed 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat @@ -1,3 +1,4 @@ +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf index c2fe02639..2af93a313 100755 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf @@ -19,5 +19,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f699d5e27 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka +} diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf index dbf38160f..140e88912 100755 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf @@ -20,5 +20,6 @@ conn rw-eapaka leftcert=moonCert.pem leftfirewall=yes rightid=*@strongswan.org + rightsendcert=never right=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f699d5e27 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka +} diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt new file mode 100644 index 000000000..a2ac00d80 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt @@ -0,0 +1,7 @@ +The roadwarrior carol sets up a connection to gateway moon. +carol uses the Extensible Authentication Protocol +in association with an MD5 challenge and response protocol +(EAP-MD5) to authenticate against the gateway. The user password +is kept in ipsec.secrets on both gateway and client +Gateway moon additionaly uses an RSA signature to authenticate itself +against carol. diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat new file mode 100644 index 000000000..5de841c03 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2af93a313 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=eap + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..e03e89a0f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp01qlpOgb" diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..3a359eff2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5 +} diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..78bc23b4c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eapaka + authby=rsasig + eap=md5 + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftfirewall=yes + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..aa3838385 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp01qlpOgb" diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a359eff2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5 +} diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat new file mode 100644 index 000000000..ed5498bfe --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf new file mode 100644 index 000000000..2bd21499b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf index c2fe02639..2af93a313 100755 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf @@ -19,5 +19,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8812814d6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim +} diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf index 3f88b2ade..509deb945 100755 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf @@ -21,4 +21,5 @@ conn rw-eapsim leftfirewall=yes rightid=*@strongswan.org right=%any + rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8812814d6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim +} diff --git a/testing/tests/ikev2/rw-hash-and-url/description.txt b/testing/tests/ikev2/rw-hash-and-url/description.txt new file mode 100644 index 000000000..5e748d75e --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +Instead of the certificates themselves, "Hash and URL" certificate payloads +are transferred and the certificates are fetched via http from web server winnetou. +

+Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. +

diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat new file mode 100644 index 000000000..fe2a8d063 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat @@ -0,0 +1,14 @@ +moon::cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES +moon::cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES +dave::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..77046eb7d --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://winnetou.strongswan.org/certs/ + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af0f9953b --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..febaf9be2 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://winnetou.strongswan.org/certs/ + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..af0f9953b --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..cbc60000a --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://winnetou.strongswan.org/certs/ + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..af0f9953b --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat index 1ce38fc6a..236684c57 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat @@ -3,7 +3,7 @@ moon::cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre- moon::ipsec statusall::rw-psk.*INSTALLED::YES carol::ipsec statusall::home.*ESTABLISHED::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature::YES +moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES moon::ipsec statusall::rw-rsasig.*INSTALLED::YES dave::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat index 8c7d2e9ea..0e5bd03db 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat @@ -1,6 +1,6 @@ moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature::YES +moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES moon::ipsec statusall::rw.*INSTALLED::YES carol::ipsec statusall::home.*ESTABLISHED::YES dave::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf index dc6f82923..da59dfdae 100755 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf @@ -15,6 +15,7 @@ conn %default conn home left=PH_IP_CAROL + leftsourceip=%config leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf index b09427d4c..f09d46c5b 100755 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf @@ -15,6 +15,7 @@ conn %default conn home left=PH_IP_DAVE + leftsourceip=%config leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf index a3bf042d4..fb4b9ed3a 100755 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf @@ -17,5 +17,6 @@ conn rw leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + rightsourceip=10.3.0.0/28 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 3421c6e0f..0598e1fb2 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,6 +1,7 @@ -moon::cat /var/log/daemon.log::candidate peer certificate was not successfully verified::YES -moon::cat /var/log/daemon.log::candidate peer certificate has a non-matching RSA public key::YES -moon::cat /var/log/daemon.log::candidate peer certificate has a matching RSA public key::YES +moon::cat /var/log/daemon.log::certificate was revoked::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES +moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES moon::ipsec statusall::carol.*ESTABLISHED::YES moon::ipsec statusall::dave.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf index eb6feb6e2..8800c7ad5 100755 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - charondebug="cfg 2" crlcheckinterval=180 strictcrlpolicy=yes plutostart=no diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt b/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client alice behind moon +sends an IPv4 ICMP request to client bob behind sun using the ping command. diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat new file mode 100644 index 000000000..76c138e63 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*INSTALLED::YES +sun::ipsec status::net.net.*INSTALLED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ddc965c01 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + crlcheckinterval=180 + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.1.0.0/16 + rightsubnet=10.2.0.0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..b02136ffe --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + crlcheckinterval=180 + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.2.0.0/16 + rightsubnet=10.1.0.0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat new file mode 100644 index 000000000..dff181797 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat new file mode 100644 index 000000000..071827b66 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf new file mode 100644 index 000000000..991d884db --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat index 1ea5bcebe..f1e26e7ea 100644 --- a/testing/tests/ipv6/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::received USE_TRANSPORT_MODE notify::YES +moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES moon::ip xfrm state::mode transport::YES diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/description.txt b/testing/tests/openssl/ecdsa-certs/description.txt new file mode 100644 index 000000000..2c098d898 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/description.txt @@ -0,0 +1,11 @@ +The hosts carol, dave, and moon use the openssl plugin +based on the OpenSSL library for all cryptographical functions. +

+The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on ECDSA signatures +using Elliptic Curve certificates. +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. + diff --git a/testing/tests/openssl/ecdsa-certs/evaltest.dat b/testing/tests/openssl/ecdsa-certs/evaltest.dat new file mode 100644 index 000000000..a7243ce70 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/evaltest.dat @@ -0,0 +1,14 @@ +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful +moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4f6fdc567 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=ecdsasig + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..29709926a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS +4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T +BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9 +MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+ +sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx +ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn +s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..5f21c1012 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E + +Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt +KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble +RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..4e53ef91a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3138458ed --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=ecdsasig + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..075d8f1e5 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y +IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA +zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G +A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1 +atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai +dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw +MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj +LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH +ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/ +wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv +g+Z+grJzTppAqpwRpg== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..f628f88e5 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX ++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9 +t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P +JDBocD1n1eCSwM67KOfouuPmOML0QgU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..ebd3a2839 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA daveKey.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..892e0c39b --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=ecdsasig + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem new file mode 100644 index 000000000..5178c7f38 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO +PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs +5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9 +BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX +Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU +Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu +j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD +VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG +SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt +l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH +mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD +CI9WpQ== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..beab0485f --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42 +yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz +1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw +tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq +pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..1ef3eccb5 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA moonKey.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/posttest.dat b/testing/tests/openssl/ecdsa-certs/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/ecdsa-certs/pretest.dat b/testing/tests/openssl/ecdsa-certs/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/ecdsa-certs/test.conf b/testing/tests/openssl/ecdsa-certs/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/ike-alg-ecp-high/description.txt b/testing/tests/openssl/ike-alg-ecp-high/description.txt new file mode 100644 index 000000000..38606ca0b --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/description.txt @@ -0,0 +1,17 @@ +The roadwarrior carol and the gateway moon use the openssl +plugin based on the OpenSSL library for all cryptographical functions +whereas roadwarrior dave uses the default strongSwan cryptographical +plugins aes des sha1 sha2 md5 gmp plus the openssl plugin for +the Elliptic Curve Diffie-Hellman groups only. +

+The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +carol proposes the DH groups ECP_256 and ECP_384 whereas dave proposes +ECP_256 and ECP_521. Since moon does not support ECP_521 the roadwarriors +fall back to ECP_384 and ECP_521, respectively. +

+Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. + diff --git a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat b/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat new file mode 100644 index 000000000..c9055f89c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::ECP_256_BIT.*ECP_384_BIT::YES +dave::cat /var/log/daemon.log::ECP_256_BIT.*ECP_521_BIT::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec statusall::home.*AES_CBC-192/AUTH_HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BIT::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*AES_CBC-256/AUTH_HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521_BIT::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..0550a09b4 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp256,aes192-sha384-ecp384! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..22026fc36 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha512-ecp256,aes256-sha512-ecp521! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d9a94e19c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ffe13d259 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384,aes256-sha512-ecp521! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat b/testing/tests/openssl/ike-alg-ecp-high/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat b/testing/tests/openssl/ike-alg-ecp-high/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/ike-alg-ecp-high/test.conf b/testing/tests/openssl/ike-alg-ecp-high/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/ike-alg-ecp-low/description.txt b/testing/tests/openssl/ike-alg-ecp-low/description.txt new file mode 100644 index 000000000..4f043e7d9 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/description.txt @@ -0,0 +1,17 @@ +The roadwarrior carol and the gateway moon use the openssl +plugin based on the OpenSSL library for all cryptographical functions +whereas roadwarrior dave uses the default strongSwan cryptographical +plugins aes des sha1 sha2 md5 gmp plus the openssl plugin for +the Elliptic Curve Diffie-Hellman groups only. +

+The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +carol proposes the DH groups ECP_192 and ECP_224 whereas dave proposes +ECP_192 and ECP_256. Since moon does not support ECP_192 the roadwarriors +fall back to ECP_224 and ECP_256, respectively. +

+Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. + diff --git a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat b/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat new file mode 100644 index 000000000..dc417c21f --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::ECP_192_BIT.*ECP_224_BIT::YES +dave::cat /var/log/daemon.log::ECP_192_BIT.*ECP_256_BIT::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BIT::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BIT::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..6a15b3f54 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp192,aes128-sha256-ecp224! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..b4bdf456f --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp192,aes128-sha256-ecp256! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d9a94e19c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..64ec0f12c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp224,aes128-sha256-ecp256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat b/testing/tests/openssl/ike-alg-ecp-low/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat b/testing/tests/openssl/ike-alg-ecp-low/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/ike-alg-ecp-low/test.conf b/testing/tests/openssl/ike-alg-ecp-low/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/rw-cert/description.txt b/testing/tests/openssl/rw-cert/description.txt new file mode 100644 index 000000000..0f721c52b --- /dev/null +++ b/testing/tests/openssl/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior carol and the gateway moon use the openssl +plugin based on the OpenSSL library for all cryptographical functions +whereas roadwarrior dave uses the default strongSwan cryptographical +plugins aes des sha1 sha2 md5 gmp. +

+The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. + diff --git a/testing/tests/openssl/rw-cert/evaltest.dat b/testing/tests/openssl/rw-cert/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/openssl/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4a8baa3ae --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha1-modp1536! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..42f03aab3 --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d67f07a1a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e84f2e6a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/rw-cert/posttest.dat b/testing/tests/openssl/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/rw-cert/pretest.dat b/testing/tests/openssl/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/rw-cert/test.conf b/testing/tests/openssl/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/p2pnat/behind-same-nat/evaltest.dat b/testing/tests/p2pnat/behind-same-nat/evaltest.dat index 0036e073f..e59334db9 100644 --- a/testing/tests/p2pnat/behind-same-nat/evaltest.dat +++ b/testing/tests/p2pnat/behind-same-nat/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec statusall::medsrv.*ESTABLISHED::YES venus::ipsec statusall::medsrv.*ESTABLISHED::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*F1ubAio8@medsrv.org::YES -alice::cat /var/log/daemon.log::received P2P_CALLBACK::YES -alice::ipsec statusall::p2p.*ESTABLISHED::YES -venus::ipsec statusall::p2p.*ESTABLISHED::YES -alice::ipsec statusall::p2p.*INSTALLED::YES -venus::ipsec statusall::p2p.*INSTALLED::YES +alice::cat /var/log/daemon.log::received ME_CALLBACK::YES +alice::ipsec statusall::peer.*ESTABLISHED::YES +venus::ipsec statusall::peer.*ESTABLISHED::YES +alice::ipsec statusall::peer.*INSTALLED::YES +venus::ipsec statusall::peer.*INSTALLED::YES alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables index 937486984..1eb88c15c 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables @@ -25,7 +25,7 @@ start() { iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - # allow NAT-T including P2P + # allow NAT-T iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf index e481996f7..b47f157f6 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf @@ -21,16 +21,16 @@ conn medsrv leftid=6cu1UTVw@medsrv.org right=PH_IP_CAROL rightid=carol@strongswan.org - p2p_mediation=yes + mediation=yes authby=psk auto=add -conn p2p +conn peer leftcert=aliceCert.pem leftid=alice@strongswan.org right=%any rightid=@venus.strongswan.org rightsubnet=PH_IP_VENUS/32 - p2p_mediated_by=medsrv - p2p_peerid=F1ubAio8@medsrv.org + mediated_by=medsrv + me_peerid=F1ubAio8@medsrv.org auto=start diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf index 712d888b1..e38922cf4 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf @@ -21,5 +21,5 @@ conn medsrv leftid=carol@strongswan.org leftfirewall=yes right=%any - p2p_mediation=yes + mediation=yes auto=add diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables index 06d0ebca8..6fca87b4a 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables @@ -25,7 +25,7 @@ start() { iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - # allow NAT-T including P2P + # allow NAT-T iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf index d21009353..3943c361e 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf @@ -22,15 +22,15 @@ conn medsrv right=PH_IP_CAROL rightid=carol@strongswan.org authby=psk - p2p_mediation=yes + mediation=yes auto=start -conn p2p +conn peer leftcert=venusCert.pem leftid=@venus.strongswan.org right=%any rightid=alice@strongswan.org rightsubnet=PH_IP_ALICE/32 - p2p_mediated_by=medsrv - p2p_peerid=6cu1UTVw@medsrv.org + mediated_by=medsrv + me_peerid=6cu1UTVw@medsrv.org auto=add diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/medsrv-psk/evaltest.dat b/testing/tests/p2pnat/medsrv-psk/evaltest.dat index b8280c325..ba14bb858 100644 --- a/testing/tests/p2pnat/medsrv-psk/evaltest.dat +++ b/testing/tests/p2pnat/medsrv-psk/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec statusall::medsrv.*ESTABLISHED::YES bob::ipsec statusall::medsrv.*ESTABLISHED::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_SUN.*v9oEPMz@medsrv.org::YES -alice::ipsec statusall::p2p.*ESTABLISHED::YES -bob::ipsec statusall::p2p.*ESTABLISHED::YES -alice::ipsec statusall::p2p.*INSTALLED::YES -bob::ipsec statusall::p2p.*INSTALLED::YES +alice::ipsec statusall::peer.*ESTABLISHED::YES +bob::ipsec statusall::peer.*ESTABLISHED::YES +alice::ipsec statusall::peer.*INSTALLED::YES +bob::ipsec statusall::peer.*INSTALLED::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables index 09b4cabfa..c6371c745 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables @@ -21,7 +21,7 @@ start() { iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - # allow NAT-T including P2P + # allow NAT-T iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf index 370934ce7..99a50d5d8 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf @@ -21,16 +21,16 @@ conn medsrv leftid=6cu1UTVw@medsrv.org right=PH_IP_CAROL rightid=carol@strongswan.org - p2p_mediation=yes + mediation=yes authby=psk auto=add -conn p2p +conn peer leftcert=aliceCert.pem leftid=alice@strongswan.org right=%any rightid=bob@strongswan.org rightsubnet=PH_IP_BOB/32 - p2p_mediated_by=medsrv - p2p_peerid=av9oEPMz@medsrv.org + mediated_by=medsrv + me_peerid=av9oEPMz@medsrv.org auto=start diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf index 8d8d9391f..39dee8521 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf @@ -22,15 +22,15 @@ conn medsrv right=PH_IP_CAROL rightid=carol@strongswan.org authby=psk - p2p_mediation=yes + mediation=yes auto=start -conn p2p +conn peer leftcert=bobCert.pem leftid=bob@strongswan.org right=%any rightid=alice@strongswan.org rightsubnet=PH_IP_ALICE/32 - p2p_mediated_by=medsrv - p2p_peerid=6cu1UTVw@medsrv.org + mediated_by=medsrv + me_peerid=6cu1UTVw@medsrv.org auto=add diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf index 712d888b1..e38922cf4 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf @@ -21,5 +21,5 @@ conn medsrv leftid=carol@strongswan.org leftfirewall=yes right=%any - p2p_mediation=yes + mediation=yes auto=add diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/sql/ip-pool-db-expired/description.txt b/testing/tests/sql/ip-pool-db-expired/description.txt new file mode 100644 index 000000000..754c19d83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave start a connection each +to gateway moon. The authentication is based on X.509 certificates. +Both carol and dave request a virtual IP via the IKEv2 configuration +payload. The gateway moon assigns expired virtual IP addresses from a pool named bigpool +predefined in the SQL database. +

+Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat new file mode 100644 index 000000000..5d9d9441a --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::reassigning address from expired lease from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*1h.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..8671f3070 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,171 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'bigpool' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, next, timeout +) VALUES ( + 'bigpool', X'0a030001', X'0a03fffe', X'0a030003', 3600 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030001', 7, 1211299013 , 1211299205 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030002', 6, 1211299031, 1211299187 +); diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat new file mode 100644 index 000000000..c83449eaf --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -0,0 +1,19 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --leases +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/ip-pool-db-restart/description.txt b/testing/tests/sql/ip-pool-db-restart/description.txt new file mode 100644 index 000000000..83e48ae57 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave restart a connection each +to gateway moon. The authentication is based on X.509 certificates. +Both carol and dave request a virtual IP via the IKEv2 configuration +payload. The gateway moon reassigns the static and reserved virtual IP addresses +from a pool named bigpool predefined in the SQL database. +

+Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat new file mode 100644 index 000000000..5db30da40 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::reassigning address from valid lease from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..d250628e7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,171 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'bigpool' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, next, timeout +) VALUES ( + 'bigpool', X'0a030001', X'0a03fffe', X'0a030003', 0 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030001', 6, 1211299013 , 1211299205 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030002', 7, 1211299031, 1211299187 +); diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat new file mode 100644 index 000000000..4ecf6347a --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -0,0 +1,19 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --leases +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up home +carol::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/ip-pool-db/description.txt b/testing/tests/sql/ip-pool-db/description.txt new file mode 100644 index 000000000..92fca6ebd --- /dev/null +++ b/testing/tests/sql/ip-pool-db/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +Both carol and dave request a virtual IP via the IKEv2 configuration +payload. The gateway moon assigns virtual IP addresses from a pool named bigpool +predefined in the SQL database. +

+Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat new file mode 100644 index 000000000..07d17b338 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::assigning lease with new address from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..b7585f56b --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,147 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'bigpool' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, next, timeout +) VALUES ( + 'bigpool', X'0a030001', X'0a03fffe', X'0a030001', 0 +); diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/net2net-cert/description.txt b/testing/tests/sql/net2net-cert/description.txt new file mode 100644 index 000000000..eca79f0bf --- /dev/null +++ b/testing/tests/sql/net2net-cert/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates. Upon the successful +establishment of the IPsec tunnel, automatically inserted iptables-based firewall rules +let pass the tunneled traffic. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat new file mode 100644 index 000000000..e67c39a08 --- /dev/null +++ b/testing/tests/sql/net2net-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..a5e0afcd7 --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike +) VALUES ( + 'net-net', 1, 3, 4, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 1 +); + diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..0d772ef10 --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,138 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 202, X'da9c6fa72dc33363ac09b99af29085bedd48dc27' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'3082040b308202f3a003020102020102300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313535335a170d3039303930393131313535335a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43c7e807d879059f76800e499104c936ea05e85033a2af751a1ed3a36eff83be29d35f92527b126817cf98d7c6a786af752130cb6756300ffbba3d036def0c10ab2c373b69d0942e6e9dacee7f26aeb40b1aca81e98012d3d97be570e34b7caa4c202d1f5903e33025fe3fc0c9e401b8b4780b2244982feba83dff6bea6be3609a963b85060051a424d4a54e2696c95949eceff70bbad4fc131716fc5439411d477f9709174e12a0537b848564712da8694a57441a68934e6c77d24fd76ce305da71ce6c41ede4463db9644619b8fcd5945688d93474db5ba677941effcdbdd58b739f7533c70418441d596d974d56cbd8637aeeaf217731a022f6fb4093cc70203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604143dc4b9320816f242645eb74bef575160eb3e6ad8306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010019042ba2201ad12c30849a6b19dece33eadf0490066ec6b70cfcc509f1d7d51ee26720ecf5aa61d432be22051adfbec4bf553ba01d0495da663a8249ba00a3b4d2dfa56dedd515c11112ff41fa4edbe54f5addd27d9d0eab8f238aa0753152cc6513c22026444234f8b09dc762ce59bae72ebe8c5e331deb4381f152d1ed303dd2e4934cc05162397023c88cab4e56fb62e4494d3e6113e466b3c1944395e7b7bcca67bc9fa122c5cf2d3f70b14f750bc4240ef0f1cace0c26690e010a547572516bb2b753b8e8ddf27547c3727289a10f475879b7c426c37b1e4c1d39ef9b59644adc7bd4218ced313a54fcb4dbc525ad2c3426a130095c2cb5e8b670ccf080'); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'308204a30201000282010100e43c7e807d879059f76800e499104c936ea05e85033a2af751a1ed3a36eff83be29d35f92527b126817cf98d7c6a786af752130cb6756300ffbba3d036def0c10ab2c373b69d0942e6e9dacee7f26aeb40b1aca81e98012d3d97be570e34b7caa4c202d1f5903e33025fe3fc0c9e401b8b4780b2244982feba83dff6bea6be3609a963b85060051a424d4a54e2696c95949eceff70bbad4fc131716fc5439411d477f9709174e12a0537b848564712da8694a57441a68934e6c77d24fd76ce305da71ce6c41ede4463db9644619b8fcd5945688d93474db5ba677941effcdbdd58b739f7533c70418441d596d974d56cbd8637aeeaf217731a022f6fb4093cc702030100010282010023a787a38ef8a486496e07e5ae3bab9ac4876cfc9e7a71c7dd0accc2715e9f8acb65ffce820d67513a9d4966deeecb0cfac1e993ecd4fdb8643aede6530c14d43355a5cee7d234662d288f340f6c0163eae156b594c1ee3d2108198604041c4a1ddee90ddfacbeeabd0e39d1602f40988cf388994bade836def0470686d609949ff93a8f7e32e2a5240f915fcc684591e9330d2e786d11b08e14c0ed70543c072c74da083dc8a1a2480b5f071d03c97a2c11ac938f0737b3be09839d878c5bea84389ac80f103de90c8328411a6da9c3d0eb2d6a25a88cfc3f12bdd5f6653166fdb8768e51af726e6c586f157520d1aaaf6bd180a2e0a950cc0d60380cab31e102818100f5d01511e82f46b166e15ea10bd080c324ba7e23aac7f974c5ddf9e17bf857abd1ea7eab2b00c592ff7a038b0c1fe99d35fe8cc3314508d5bdcd957b9e8108bc0c8f01cee333bb7f1e6b79338d438837b4449a562847509448f6a9df05a9c6386150c41ff4dd721c08be8587943dacca45bb7a8b1e098e66604a103780a2c23f02818100edb1efa9d6b3d92a06f65ca3f0ccfb5ed8636192de6b12aeedca6a3f96eacee45291516f89bd162a825fc2c7b0ccee610879dff32303dd6a78029d856283765df57f8d0c87be5a4c964c6ff9b537f7f1cba2c761cca6ce26caeef646c109a0111c05626afdcedc97d5dbf1be73047a9cf08d8dc4ec21caad12950eee439f53790281800a60d9b2e2d9b42363539a9a34147e8b3eaebd0aa67840f9042da6123618bb22deff06901585b7d1c8058fc6bc2150ccb96de0e590dbf84e85effb22b8037ca9ebe1d1d2b95702d090293b79c8ba14333de2339df59f65308d901485fd0838fd426695913fd665adf7548bf0b87a8e241023a53de06bc8de5bac64d8e30e7c2302818100b4ba4445d88faaa0ffe6360e18bb62ad7cce23946e34ef61be3fd7853e148ef69fa90a484a6c50fc4560d652cb252662f4f4e5c892690fe332189af89e2ce2c51232c7662d9818447f4ae320f41ef8110b0a5b9b0ae6117d0173ac21a408d381eed251409476c2d757ae02231284e74d88c1b877702b49554af9b6fe86c00fd10281807709b9327a76fefb7af5b730564f463147db9a6291ee343d69922e00ade4f576e4344bd941b4a4ebadbb26cdf5b8902b9bf7efbff7183ede38bf9a7311ce0e35a699f784156d18949d6851bfcff0d96ab129c7bd4a08a9adb82664d74bf5f38e0c501457f3a34735ff524b746eabe422d35b11ead44848389b28c1396b0b35ff'); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike +) VALUES ( + 'net-net', 1, 4, 3, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat new file mode 100644 index 000000000..2ab18542f --- /dev/null +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -0,0 +1,12 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/sql/net2net-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/net2net-psk/description.txt b/testing/tests/sql/net2net-psk/description.txt new file mode 100644 index 000000000..7c645b94f --- /dev/null +++ b/testing/tests/sql/net2net-psk/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on Preshared Keys (PSK). Upon the successful +establishment of the IPsec tunnel, automatically inserted iptables-based firewall rules +let pass the tunneled traffic. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat new file mode 100644 index 000000000..e67c39a08 --- /dev/null +++ b/testing/tests/sql/net2net-psk/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..aa6e84c48 --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,90 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'bfe364c58f4b2d9bf08f8a820b6a3f806ad60c5d9ddb58cb' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method, mobike +) VALUES ( + 'net-net', 1, 1, 2, 2, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 1 +); + diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..7c2865fd8 --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'bfe364c58f4b2d9bf08f8a820b6a3f806ad60c5d9ddb58cb' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method, mobike +) VALUES ( + 'net-net', 1, 2, 1, 2, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat new file mode 100644 index 000000000..2ab18542f --- /dev/null +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -0,0 +1,12 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/sql/net2net-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/rw-cert/description.txt b/testing/tests/sql/rw-cert/description.txt new file mode 100644 index 000000000..ee706e053 --- /dev/null +++ b/testing/tests/sql/rw-cert/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/sql/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ef9c228e1 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5a4bbd5c0 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..67570add2 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'rw', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-psk-ipv4/description.txt b/testing/tests/sql/rw-psk-ipv4/description.txt new file mode 100644 index 000000000..547008f74 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv4 addresses. Upon the successful establishment of the IPsec tunnels, +automatically inserted iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping the +client alice behind the gateway moon. diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..a5ff52d65 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.1 */ + 1 , X'c0a80001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.100 */ + 1 , X'c0a80064' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ac39472f3 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.1 */ + 1 , X'c0a80001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.200 */ + 1 , X'c0a800c8' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..231b84cb9 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,114 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.1 */ + 1 , X'c0a80001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.100 */ + 1 , X'c0a80064' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.200 */ + 1 , X'c0a800c8' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 3 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'rw', 1, 1, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-psk-ipv6/description.txt b/testing/tests/sql/rw-psk-ipv6/description.txt new file mode 100644 index 000000000..d8f6805de --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/description.txt @@ -0,0 +1,6 @@ +The roadwarriors carol and dave set up an IPv6 tunnel connection each +to gateway moon. The authentication is based on distinct pre-shared keys +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels automatically +inserted ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both carol and dave send an IPv6 ICMP request +to client alice behind the gateway moon using the ping6 command. diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat new file mode 100644 index 000000000..cee1853c4 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..8cbb82d71 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::1 */ + 5 , X'fec00000000000000000000000000001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::10 */ + 5 , X'fec00000000000000000000000000010' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP6_CAROL', 'PH_IP6_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* fec1::/16 */ + 8, X'fec10000000000000000000000000000', X'fec1ffffffffffffffffffffffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/128 */ + 8 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..87055a216 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::1 */ + 5 , X'fec00000000000000000000000000001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::20 */ + 5 , X'fec00000000000000000000000000020' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP6_DAVE', 'PH_IP6_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* fec1::/16 */ + 8, X'fec10000000000000000000000000000', X'fec1ffffffffffffffffffffffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/128 */ + 8 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..2479bea12 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,114 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::1 */ + 5 , X'fec00000000000000000000000000001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::10 */ + 5 , X'fec00000000000000000000000000010' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::20 */ + 5 , X'fec00000000000000000000000000020' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 3 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP6_MOON', '0::0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'rw', 1, 1, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* fec1::/16 */ + 8, X'fec10000000000000000000000000000', X'fec1ffffffffffffffffffffffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/128 */ + 8 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat new file mode 100644 index 000000000..bdfd9ed00 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat new file mode 100644 index 000000000..253438dbf --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -0,0 +1,21 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf new file mode 100644 index 000000000..80cf5e3a1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-psk-rsa-split/description.txt b/testing/tests/sql/rw-psk-rsa-split/description.txt new file mode 100644 index 000000000..23080964a --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to gateway moon. The roadwarriors' authentication is based on +Pre-Shared Keys (PSK) whereas the gateway uses an RSA signature +(RSASIG) certified by an X.509 certificate. +Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat new file mode 100644 index 000000000..0e5bd03db --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat @@ -0,0 +1,12 @@ +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES +moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..31c6bf81f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,116 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 3, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..e12ca449d --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,117 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 4 +); + + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 3, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..4f66841fa --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,191 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 6 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 7 +); + + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote, certreq +) VALUES ( + 'PH_IP_MOON', '0.0.0.0', 0 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'rw', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" -- cgit v1.2.3