testing: Enable firewall for ikev2/compress scenario

Additionally, send a regular (small) ping as the kernel does not
compress small packets and handles those differently inbound.

diff --git a/testing/tests/ikev2/compress/description.txt b/testing/tests/ikev2/compress/description.txt
index 47829839ddc75a4bacc386bc324f65f7c6189392..4c60384f0bdb6f9959adfbc87df2c137c4c7a7e5 100644 (file)
--- a/testing/tests/ikev2/compress/description.txt
+++ b/testing/tests/ikev2/compress/description.txt
@@ -1,3 +1,4 @@
-This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
-gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
-the established tunnel with compression.
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> check
+the established tunnel with compression. The packet sizes of the two pings
+are different because the kernel does not compress small packets.

diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat
index b989a77744ddd775c16556644830b3a148fb9ace..843326ecc6e33738f90b9bbf4d5bbf782397791f 100644 (file)
--- a/testing/tests/ikev2/compress/evaltest.dat
+++ b/testing/tests/ikev2/compress/evaltest.dat
@@ -6,7 +6,7 @@ moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
 moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
 moon:: ip xfrm state::proto comp spi::YES
 carol::ip xfrm state::proto comp spi::YES
-carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
-

diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
index 7502175e7006c8295095e0243e9346e5ae5ad161..78809898b59f9eef42b33ca28d5631707d8ba5ac 100644 (file)
--- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
        keyingtries=1
        keyexchange=ikev2
        compress=yes
+       leftfirewall=yes
 
 conn home
        left=PH_IP_CAROL

diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index 85d8c191f0a819fb9cb7546fc6a45dcc653cfb13..dc937641cb5da2791c48351639e453d745bcf4fc 100644 (file)
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }

diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
index aa1be047e3c14a0685b0a35a935453272ff0445a..718b3c81406cb4672253bd30519958a1e0dd4a8d 100644 (file)
--- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
        keyingtries=1
        keyexchange=ikev2
        compress=yes
+       leftfirewall=yes
 
 conn rw
        left=PH_IP_MOON

diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index 85d8c191f0a819fb9cb7546fc6a45dcc653cfb13..dc937641cb5da2791c48351639e453d745bcf4fc 100644 (file)
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }

diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat
index c6d6235f9da76c2e037f7e0738c13c51cccf6650..046d4cfdc4678f1e7553cba9f099f029f7f6617f 100644 (file)
--- a/testing/tests/ikev2/compress/posttest.dat
+++ b/testing/tests/ikev2/compress/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush

diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
index f5aa989fe3d717edefd33482cd476499c0baf3c3..29a90355fadb30faaf2606393a178607bb68f214 100644 (file)
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -1,3 +1,5 @@
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2